d878a7c8...3ba3 | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 93/100
Dynamic Analysis Report
Classification: Downloader

d878a7c8fa46c52020a07de7726a8a740d245dcf0a58355b88a054059f933ba3 (SHA256)

Mert-Obfuscated25.xlsm

Excel Document

Created at 2019-02-17 13:34:00

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x938 Analysis Target Medium excel.exe "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -
#2 0x368 RPC Server System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #1
#4 0xb64 RPC Server System (Elevated) wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding #2
#5 0xb98 RPC Server System (Elevated) msiexec.exe C:\Windows\system32\msiexec.exe /V #4

Behavior Information - Grouped by Category

Process #1: excel.exe
11734 5
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\excel.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:29, Reason: Analysis Target
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:03:24
OS Process Information
»
Information Value
PID 0x938
Parent PID 0x460 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A6C
0x A68
0x A60
0x A5C
0x A10
0x A0C
0x A08
0x A04
0x 9EC
0x 9E8
0x 9E4
0x 9E0
0x 9A8
0x 9A4
0x 9A0
0x 99C
0x 990
0x 98C
0x 988
0x 984
0x 980
0x 97C
0x 978
0x 958
0x 954
0x 950
0x 94C
0x 948
0x 944
0x 940
0x 93C
0x A70
0x A74
0x A78
0x A7C
0x A80
0x A88
0x A94
0x A98
0x B24
0x B2C
0x BFC
0x 66C
0x 92C
0x A74
0x 6D8
0x BC4
0x 740
0x 780
0x 7FC
0x 708
0x AF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
pagefile_0x0000000000070000 0x00070000 0x00070fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x00086fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
locale.nls 0x002b0000 0x00316fff Memory Mapped File r False False False -
private_0x0000000000320000 0x00320000 0x00320fff Private Memory rw True False False -
pagefile_0x0000000000330000 0x00330000 0x00332fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory - True False False -
pagefile_0x0000000000350000 0x00350000 0x00352fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000360000 0x00360000 0x00362fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000370000 0x00370000 0x00372fff Pagefile Backed Memory r True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01bb0000 0x01e7efff Memory Mapped File r False False False -
pagefile_0x0000000001e80000 0x01e80000 0x02272fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002280000 0x02280000 0x02282fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002290000 0x02290000 0x02292fff Pagefile Backed Memory r True False False -
pagefile_0x00000000022a0000 0x022a0000 0x022a1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000022b0000 0x022b0000 0x022b1fff Pagefile Backed Memory r True False False -
private_0x00000000022c0000 0x022c0000 0x022c0fff Private Memory rw True False False -
private_0x00000000022d0000 0x022d0000 0x0230ffff Private Memory rw True False False -
pagefile_0x0000000002310000 0x02310000 0x02310fff Pagefile Backed Memory rw True False False -
private_0x0000000002320000 0x02320000 0x0232ffff Private Memory rw True False False -
private_0x0000000002330000 0x02330000 0x0242ffff Private Memory rw True False False -
private_0x0000000002430000 0x02430000 0x0262ffff Private Memory rw True False False -
pagefile_0x0000000002630000 0x02630000 0x02634fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000002640000 0x02640000 0x02641fff Pagefile Backed Memory r True False False -
private_0x0000000002650000 0x02650000 0x0265ffff Private Memory rw True False False -
index.dat 0x02660000 0x0266bfff Memory Mapped File rw True False False -
index.dat 0x02670000 0x02677fff Memory Mapped File rw True False False -
private_0x0000000002680000 0x02680000 0x026fffff Private Memory rw True False False -
pagefile_0x0000000002700000 0x02700000 0x027defff Pagefile Backed Memory r True False False -
index.dat 0x027e0000 0x027effff Memory Mapped File rw True False False -
pagefile_0x00000000027f0000 0x027f0000 0x027f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002800000 0x02800000 0x02800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002810000 0x02810000 0x02810fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002820000 0x02820000 0x02820fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002830000 0x02830000 0x02831fff Pagefile Backed Memory r True False False -
private_0x0000000002840000 0x02840000 0x02840fff Private Memory rw True False False -
private_0x0000000002850000 0x02850000 0x02850fff Private Memory rw True False False -
private_0x0000000002860000 0x02860000 0x02860fff Private Memory rw True False False -
private_0x0000000002870000 0x02870000 0x0287ffff Private Memory rw True False False -
private_0x0000000002880000 0x02880000 0x0297ffff Private Memory rw True False False -
private_0x0000000002980000 0x02980000 0x02980fff Private Memory rw True False False -
private_0x0000000002990000 0x02990000 0x02990fff Private Memory rw True False False -
private_0x00000000029a0000 0x029a0000 0x02a9ffff Private Memory rw True False False -
xlintl32.dll 0x02aa0000 0x03ae7fff Memory Mapped File r False False False -
private_0x0000000003af0000 0x03af0000 0x03beffff Private Memory rw True False False -
private_0x0000000003bf0000 0x03bf0000 0x03ceffff Private Memory rw True False False -
kernelbase.dll.mui 0x03cf0000 0x03daffff Memory Mapped File rw False False False -
private_0x0000000003db0000 0x03db0000 0x03db0fff Private Memory rw True False False -
private_0x0000000003dc0000 0x03dc0000 0x03ebffff Private Memory rw True False False -
pagefile_0x0000000003ec0000 0x03ec0000 0x03ec1fff Pagefile Backed Memory r True False False -
pagefile_0x0000000003ed0000 0x03ed0000 0x03ed0fff Pagefile Backed Memory r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db 0x03ee0000 0x03efffff Memory Mapped File r True False False -
pagefile_0x0000000003f00000 0x03f00000 0x03f00fff Pagefile Backed Memory rw True False False -
private_0x0000000003f10000 0x03f10000 0x0400ffff Private Memory rw True False False -
private_0x0000000004010000 0x04010000 0x04021fff Private Memory rw True False False -
private_0x0000000004030000 0x04030000 0x04030fff Private Memory rw True False False -
private_0x0000000004040000 0x04040000 0x04040fff Private Memory rw True False False -
private_0x0000000004050000 0x04050000 0x0414ffff Private Memory rw True False False -
private_0x0000000004150000 0x04150000 0x04150fff Private Memory rw True False False -
private_0x0000000004160000 0x04160000 0x04171fff Private Memory rw True False False -
private_0x0000000004180000 0x04180000 0x04181fff Private Memory rw True False False -
private_0x0000000004190000 0x04190000 0x04190fff Private Memory rw True False False -
pagefile_0x00000000041a0000 0x041a0000 0x041a1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000041b0000 0x041b0000 0x041b1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000041c0000 0x041c0000 0x041c1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000041d0000 0x041d0000 0x041d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000041e0000 0x041e0000 0x041e1fff Pagefile Backed Memory r True False False -
private_0x00000000041f0000 0x041f0000 0x041f1fff Private Memory rw True False False -
c_1255.nls 0x04200000 0x04210fff Memory Mapped File r False False False -
pagefile_0x0000000004220000 0x04220000 0x04221fff Pagefile Backed Memory r True False False -
private_0x0000000004230000 0x04230000 0x0423ffff Private Memory rw True False False -
private_0x0000000004240000 0x04240000 0x0433ffff Private Memory rw True False False -
segoeui.ttf 0x04340000 0x043befff Memory Mapped File r False False False -
private_0x00000000043c0000 0x043c0000 0x04407fff Private Memory rw True False False -
cversions.2.db 0x04410000 0x04413fff Memory Mapped File r True False False -
cversions.2.db 0x04420000 0x04423fff Memory Mapped File r True False False -
private_0x0000000004430000 0x04430000 0x044affff Private Memory rwx True False False -
pagefile_0x00000000044b0000 0x044b0000 0x044b1fff Pagefile Backed Memory r True False False -
comdlg32.dll.mui 0x044c0000 0x044ccfff Memory Mapped File rw False False False -
private_0x00000000044d0000 0x044d0000 0x045cffff Private Memory rw True False False -
private_0x00000000045d0000 0x045d0000 0x046cffff Private Memory rw True False False -
pagefile_0x00000000046d0000 0x046d0000 0x04acffff Pagefile Backed Memory r True False False -
private_0x0000000004ad0000 0x04ad0000 0x04b17fff Private Memory rw True False False -
private_0x0000000004b20000 0x04b20000 0x04b21fff Private Memory rw True False False -
private_0x0000000004b30000 0x04b30000 0x04b30fff Private Memory rw True False False -
private_0x0000000004b40000 0x04b40000 0x04b40fff Private Memory rw True False False -
private_0x0000000004b50000 0x04b50000 0x04b50fff Private Memory rw True False False -
private_0x0000000004b60000 0x04b60000 0x04b6ffff Private Memory rw True False False -
private_0x0000000004b70000 0x04b70000 0x04b70fff Private Memory rw True False False -
private_0x0000000004b80000 0x04b80000 0x04c7ffff Private Memory rw True False False -
private_0x0000000004c80000 0x04c80000 0x04c80fff Private Memory rw True False False -
private_0x0000000004c90000 0x04c90000 0x04c90fff Private Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db 0x04ca0000 0x04ccffff Memory Mapped File r True False False -
pagefile_0x0000000004cd0000 0x04cd0000 0x04cd1fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004ce0000 0x04ce0000 0x04ce1fff Pagefile Backed Memory r True False False -
private_0x0000000004cf0000 0x04cf0000 0x04deffff Private Memory rw True False False -
private_0x0000000004df0000 0x04df0000 0x051effff Private Memory rw True False False -
pagefile_0x00000000051f0000 0x051f0000 0x05532fff Pagefile Backed Memory r True False False -
pagefile_0x0000000005540000 0x05540000 0x05d3ffff Pagefile Backed Memory rw True False False -
private_0x0000000005d40000 0x05d40000 0x05e3ffff Private Memory rw True False False -
pagefile_0x0000000005e40000 0x05e40000 0x05e41fff Pagefile Backed Memory r True False False -
private_0x0000000005e50000 0x05e50000 0x05e52fff Private Memory rw True False False -
private_0x0000000005e60000 0x05e60000 0x05e62fff Private Memory rw True False False -
private_0x0000000005e70000 0x05e70000 0x05e70fff Private Memory rw True False False -
private_0x0000000005e80000 0x05e80000 0x05e8ffff Private Memory rw True False False -
private_0x0000000005e90000 0x05e90000 0x05e92fff Private Memory rw True False False -
private_0x0000000005ea0000 0x05ea0000 0x05ea2fff Private Memory rw True False False -
private_0x0000000005eb0000 0x05eb0000 0x05ebffff Private Memory rw True False False -
private_0x0000000005ec0000 0x05ec0000 0x05ec1fff Private Memory rw True False False -
private_0x0000000005ed0000 0x05ed0000 0x05f4ffff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x05f50000 0x05fb5fff Memory Mapped File r True False False -
private_0x0000000005fc0000 0x05fc0000 0x05fc0fff Private Memory rw True False False -
private_0x0000000005fd0000 0x05fd0000 0x05fd0fff Private Memory rw True False False -
private_0x0000000005fe0000 0x05fe0000 0x060dffff Private Memory rw True False False -
pagefile_0x00000000060e0000 0x060e0000 0x060e1fff Pagefile Backed Memory r True False False -
private_0x00000000060f0000 0x060f0000 0x060f0fff Private Memory rw True False False -
private_0x0000000006100000 0x06100000 0x06100fff Private Memory rw True False False -
private_0x0000000006110000 0x06110000 0x06110fff Private Memory rw True False False -
cversions.2.db 0x06120000 0x06123fff Memory Mapped File r True False False -
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db 0x06130000 0x06130fff Memory Mapped File r True False False -
private_0x0000000006140000 0x06140000 0x0623ffff Private Memory rw True False False -
private_0x0000000006240000 0x06240000 0x06240fff Private Memory rw True False False -
private_0x0000000006250000 0x06250000 0x06250fff Private Memory rw True False False -
private_0x0000000006260000 0x06260000 0x06260fff Private Memory rw True False False -
private_0x0000000006270000 0x06270000 0x06270fff Private Memory rw True False False -
private_0x0000000006280000 0x06280000 0x06280fff Private Memory rw True False False -
private_0x0000000006290000 0x06290000 0x0629ffff Private Memory rw True False False -
private_0x00000000062a0000 0x062a0000 0x062a0fff Private Memory rw True False False -
private_0x00000000062b0000 0x062b0000 0x062b0fff Private Memory rw True False False -
private_0x00000000062c0000 0x062c0000 0x062c0fff Private Memory rw True False False -
private_0x00000000062d0000 0x062d0000 0x062d0fff Private Memory rw True False False -
private_0x00000000062e0000 0x062e0000 0x062e0fff Private Memory rw True False False -
private_0x00000000062f0000 0x062f0000 0x062f0fff Private Memory rw True False False -
private_0x0000000006300000 0x06300000 0x06300fff Private Memory rw True False False -
private_0x0000000006310000 0x06310000 0x06310fff Private Memory rw True False False -
cversions.2.db 0x06320000 0x06323fff Memory Mapped File r True False False -
For performance reasons, the remaining 435 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
COM (7)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WbemDefaultPathParser IWbemPath cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create MSXML2.XMLHTTP IUnknown cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute MSXML2.XMLHTTP IDispatch method_name = Open True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\CIMV2 True 1
Fn
Registry (83)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\Licenses - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0\win64 - False 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0\win32 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 3
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0\win32 - True 1
Fn
Read Value HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 data = } False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = RequireDeclaration, data = 145, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 data = C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 data = C:\Windows\system32\stdole2.tlb True 2
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 2
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0\win64 data = 챀ದ False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0\win32 data = C:\Windows\System32\msxml6.dll True 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = VbaCapability, data = 112 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Impersonation Level, data = 3 True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\6.0\0\win64 data = ” False 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221} - True 1
Fn
Module (200)
»
Operation Module Additional Information Success Count Logfile
Load Comctl32.dll base_address = 0x7fefc030000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x7fee57a0000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL base_address = 0x7fee6110000 True 1
Fn
Load OLEAUT32.DLL base_address = 0x7feff380000 True 1
Fn
Load VBE7.DLL base_address = 0x7fee5a40000 True 27
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefed90000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x7fefed90000 True 1
Fn
Get Handle Unknown module name base_address = 0x13f250000 True 1
Fn
Get Handle MSI.DLL base_address = 0x7fef9a00000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Handle USER32 base_address = 0x774e0000 True 1
Fn
Get Handle oleaut32.dll base_address = 0x7feff380000 True 1
Fn
Get Filename - process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 3
Fn
Get Address Unknown module name function = MsiProvideQualifiedComponentA, address_out = 0x7fef9a83b3c True 1
Fn
Get Address Unknown module name function = MsiGetProductCodeA, address_out = 0x7fef9a7a13c True 1
Fn
Get Address Unknown module name function = MsiReinstallFeatureA, address_out = 0x7fef9a81618 True 1
Fn
Get Address Unknown module name function = MsiProvideComponentA, address_out = 0x7fef9a7f088 True 1
Fn
Get Address Unknown module name function = MsoVBADigSigCallDlg, address_out = 0x7fee58a72c0 True 1
Fn
Get Address Unknown module name function = MsoVbaInitSecurity, address_out = 0x7fee58160b0 True 1
Fn
Get Address Unknown module name function = MsoFIEPolicyAndVersion, address_out = 0x7fee57c1a60 True 1
Fn
Get Address Unknown module name function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee5815f50 True 1
Fn
Get Address Unknown module name function = MsoFInitOffice, address_out = 0x7fee57bf000 True 1
Fn
Get Address Unknown module name function = MsoUninitOffice, address_out = 0x7fee57ae860 True 1
Fn
Get Address Unknown module name function = MsoFGetFontSettings, address_out = 0x7fee57a3fc0 True 1
Fn
Get Address Unknown module name function = MsoRgchToRgwch, address_out = 0x7fee57b2380 True 1
Fn
Get Address Unknown module name function = MsoHrSimpleQueryInterface, address_out = 0x7fee57a7b80 True 1
Fn
Get Address Unknown module name function = MsoHrSimpleQueryInterface2, address_out = 0x7fee57a7b20 True 1
Fn
Get Address Unknown module name function = MsoFCreateControl, address_out = 0x7fee57a8730 True 1
Fn
Get Address Unknown module name function = MsoFLongLoad, address_out = 0x7fee58e3260 True 1
Fn
Get Address Unknown module name function = MsoFLongSave, address_out = 0x7fee58e3280 True 1
Fn
Get Address Unknown module name function = MsoFGetTooltips, address_out = 0x7fee57b1f40 True 1
Fn
Get Address Unknown module name function = MsoFSetTooltips, address_out = 0x7fee5816370 True 1
Fn
Get Address Unknown module name function = MsoFLoadToolbarSet, address_out = 0x7fee5804590 True 1
Fn
Get Address Unknown module name function = MsoFCreateToolbarSet, address_out = 0x7fee57a55b0 True 1
Fn
Get Address Unknown module name function = MsoHpalOffice, address_out = 0x7fee57b0240 True 1
Fn
Get Address Unknown module name function = MsoFWndProcNeeded, address_out = 0x7fee57a3d10 True 1
Fn
Get Address Unknown module name function = MsoFWndProc, address_out = 0x7fee57a6d30 True 1
Fn
Get Address Unknown module name function = MsoFCreateITFCHwnd, address_out = 0x7fee57a3d40 True 1
Fn
Get Address Unknown module name function = MsoDestroyITFC, address_out = 0x7fee57ae6f0 True 1
Fn
Get Address Unknown module name function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee57adf40 True 1
Fn
Get Address Unknown module name function = MsoFGetComponentManager, address_out = 0x7fee57a7bf0 True 1
Fn
Get Address Unknown module name function = MsoMultiByteToWideChar, address_out = 0x7fee57afcd0 True 1
Fn
Get Address Unknown module name function = MsoWideCharToMultiByte, address_out = 0x7fee57a8b20 True 1
Fn
Get Address Unknown module name function = MsoHrRegisterAll, address_out = 0x7fee58a2ef0 True 1
Fn
Get Address Unknown module name function = MsoFSetComponentManager, address_out = 0x7fee57b42c0 True 1
Fn
Get Address Unknown module name function = MsoFCreateStdComponentManager, address_out = 0x7fee57a3e20 True 1
Fn
Get Address Unknown module name function = MsoFHandledMessageNeeded, address_out = 0x7fee57aab10 True 1
Fn
Get Address Unknown module name function = MsoPeekMessage, address_out = 0x7fee57aa7d0 True 1
Fn
Get Address Unknown module name function = MsoFCreateIPref, address_out = 0x7fee57a1550 True 1
Fn
Get Address Unknown module name function = MsoDestroyIPref, address_out = 0x7fee57ae830 True 1
Fn
Get Address Unknown module name function = MsoChsFromLid, address_out = 0x7fee57a13d0 True 1
Fn
Get Address Unknown module name function = MsoCpgFromChs, address_out = 0x7fee57a6660 True 1
Fn
Get Address Unknown module name function = MsoSetLocale, address_out = 0x7fee57a1500 True 1
Fn
Get Address Unknown module name function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee57a3dd0 True 1
Fn
Get Address Unknown module name function = MsoSetVbaInterfaces, address_out = 0x7fee58a71e0 True 1
Fn
Get Address Unknown module name function = MsoGetControlInstanceId, address_out = 0x7fee5876d10 True 1
Fn
Get Address Unknown module name function = VbeuiFIsEdpEnabled, address_out = 0x7fee58e98e0 True 1
Fn
Get Address Unknown module name function = VbeuiEnterpriseProtect, address_out = 0x7fee58e9830 True 1
Fn
Get Address Unknown module name function = SysFreeString, address_out = 0x7feff381320 True 1
Fn
Get Address Unknown module name function = LoadTypeLib, address_out = 0x7feff38f1e0 True 1
Fn
Get Address Unknown module name function = RegisterTypeLib, address_out = 0x7feff3dcaa0 True 1
Fn
Get Address Unknown module name function = QueryPathOfRegTypeLib, address_out = 0x7feff411760 True 1
Fn
Get Address Unknown module name function = UnRegisterTypeLib, address_out = 0x7feff4120d0 True 2
Fn
Get Address Unknown module name function = OleTranslateColor, address_out = 0x7feff3ac760 True 1
Fn
Get Address Unknown module name function = OleCreateFontIndirect, address_out = 0x7feff3decd0 True 1
Fn
Get Address Unknown module name function = OleCreatePictureIndirect, address_out = 0x7feff3de840 True 1
Fn
Get Address Unknown module name function = OleLoadPicture, address_out = 0x7feff3ef420 True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrameIndirect, address_out = 0x7feff3e4ec0 True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrame, address_out = 0x7feff3e9350 True 1
Fn
Get Address Unknown module name function = OleIconToCursor, address_out = 0x7feff3b6e40 True 1
Fn
Get Address Unknown module name function = LoadTypeLibEx, address_out = 0x7feff38a550 True 2
Fn
Get Address Unknown module name function = OleLoadPictureEx, address_out = 0x7feff3ef320 True 1
Fn
Get Address Unknown module name function = GetSystemMetrics, address_out = 0x774f94f0 True 1
Fn
Get Address Unknown module name function = MonitorFromWindow, address_out = 0x774f5f08 True 1
Fn
Get Address Unknown module name function = MonitorFromRect, address_out = 0x774f2b00 True 1
Fn
Get Address Unknown module name function = MonitorFromPoint, address_out = 0x774eab64 True 1
Fn
Get Address Unknown module name function = EnumDisplayMonitors, address_out = 0x774f5c30 True 1
Fn
Get Address Unknown module name function = GetMonitorInfoA, address_out = 0x774ea730 True 1
Fn
Get Address Unknown module name function = EnumDisplayDevicesA, address_out = 0x774ea5b4 True 1
Fn
Get Address Unknown module name function = DispCallFunc, address_out = 0x7feff382270 True 1
Fn
Get Address Unknown module name function = CreateTypeLib2, address_out = 0x7feff40dbd0 True 1
Fn
Get Address Unknown module name function = VarDateFromUdate, address_out = 0x7feff385c90 True 1
Fn
Get Address Unknown module name function = VarUdateFromDate, address_out = 0x7feff386330 True 1
Fn
Get Address Unknown module name function = GetAltMonthNames, address_out = 0x7feff3a66c0 True 1
Fn
Get Address Unknown module name function = VarNumFromParseNum, address_out = 0x7feff384710 True 1
Fn
Get Address Unknown module name function = VarParseNumFromStr, address_out = 0x7feff3848f0 True 1
Fn
Get Address Unknown module name function = VarDecFromR4, address_out = 0x7feff3bb640 True 1
Fn
Get Address Unknown module name function = VarDecFromR8, address_out = 0x7feff3bb360 True 1
Fn
Get Address Unknown module name function = VarDecFromDate, address_out = 0x7feff3c2640 True 1
Fn
Get Address Unknown module name function = VarDecFromI4, address_out = 0x7feff3a58a0 True 1
Fn
Get Address Unknown module name function = VarDecFromCy, address_out = 0x7feff3a5820 True 1
Fn
Get Address Unknown module name function = VarR4FromDec, address_out = 0x7feff3baf20 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromTypeInfo, address_out = 0x7feff3da0c0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromGuids, address_out = 0x7feff412160 True 1
Fn
Get Address Unknown module name function = SafeArrayGetRecordInfo, address_out = 0x7feff3a5af0 True 1
Fn
Get Address Unknown module name function = SafeArraySetRecordInfo, address_out = 0x7feff3a5a90 True 1
Fn
Get Address Unknown module name function = SafeArrayGetIID, address_out = 0x7feff3a5a60 True 1
Fn
Get Address Unknown module name function = SafeArraySetIID, address_out = 0x7feff3a5a30 True 1
Fn
Get Address Unknown module name function = SafeArrayCopyData, address_out = 0x7feff3860b0 True 1
Fn
Get Address Unknown module name function = SafeArrayAllocDescriptorEx, address_out = 0x7feff383e90 True 1
Fn
Get Address Unknown module name function = SafeArrayCreateEx, address_out = 0x7feff3d9f80 True 1
Fn
Get Address Unknown module name function = VarFormat, address_out = 0x7feff409b20 True 1
Fn
Get Address Unknown module name function = VarFormatDateTime, address_out = 0x7feff409aa0 True 1
Fn
Get Address Unknown module name function = VarFormatNumber, address_out = 0x7feff409990 True 1
Fn
Get Address Unknown module name function = VarFormatPercent, address_out = 0x7feff409890 True 1
Fn
Get Address Unknown module name function = VarFormatCurrency, address_out = 0x7feff409770 True 1
Fn
Get Address Unknown module name function = VarWeekdayName, address_out = 0x7feff3eb8d0 True 1
Fn
Get Address Unknown module name function = VarMonthName, address_out = 0x7feff3eb800 True 1
Fn
Get Address Unknown module name function = VarAdd, address_out = 0x7feff4048e0 True 1
Fn
Get Address Unknown module name function = VarAnd, address_out = 0x7feff409470 True 1
Fn
Get Address Unknown module name function = VarCat, address_out = 0x7feff4096a0 True 1
Fn
Get Address Unknown module name function = VarDiv, address_out = 0x7feff402fe0 True 1
Fn
Get Address Unknown module name function = VarEqv, address_out = 0x7feff409cf0 True 1
Fn
Get Address Unknown module name function = VarIdiv, address_out = 0x7feff408ff0 True 1
Fn
Get Address Unknown module name function = VarImp, address_out = 0x7feff409c00 True 1
Fn
Get Address Unknown module name function = VarMod, address_out = 0x7feff408e60 True 1
Fn
Get Address Unknown module name function = VarMul, address_out = 0x7feff403690 True 1
Fn
Get Address Unknown module name function = VarOr, address_out = 0x7feff4092d0 True 1
Fn
Get Address Unknown module name function = VarPow, address_out = 0x7feff402e80 True 1
Fn
Get Address Unknown module name function = VarSub, address_out = 0x7feff403f90 True 1
Fn
Get Address Unknown module name function = VarXor, address_out = 0x7feff4091a0 True 1
Fn
Get Address Unknown module name function = VarAbs, address_out = 0x7feff3e7c30 True 1
Fn
Get Address Unknown module name function = VarFix, address_out = 0x7feff3e7a60 True 1
Fn
Get Address Unknown module name function = VarInt, address_out = 0x7feff3e7890 True 1
Fn
Get Address Unknown module name function = VarNeg, address_out = 0x7feff3e7ea0 True 1
Fn
Get Address Unknown module name function = VarNot, address_out = 0x7feff409600 True 1
Fn
Get Address Unknown module name function = VarRound, address_out = 0x7feff3e76a0 True 1
Fn
Get Address Unknown module name function = VarCmp, address_out = 0x7feff4083f0 True 1
Fn
Get Address Unknown module name function = VarDecAdd, address_out = 0x7feff3b3070 True 1
Fn
Get Address Unknown module name function = VarDecCmp, address_out = 0x7feff3bd700 True 1
Fn
Get Address Unknown module name function = VarBstrCat, address_out = 0x7feff3bd890 True 1
Fn
Get Address Unknown module name function = VarCyMulI4, address_out = 0x7feff39caf0 True 1
Fn
Get Address Unknown module name function = VarBstrCmp, address_out = 0x7feff3a8a00 True 1
Fn
Get Address Unknown module name address_out = 0x7fee57afcd0 True 1
Fn
Get Address Unknown module name address_out = 0x0 False 1
Fn
Get Address Unknown module name function = 626, address_out = 0x7fee5d82a80 True 3
Fn
Get Address Unknown module name function = 556, address_out = 0x7fee5bab298 True 3
Fn
Get Address Unknown module name function = 560, address_out = 0x7fee5bab3e8 True 3
Fn
Get Address Unknown module name function = 710, address_out = 0x7fee5dc993c True 3
Fn
Get Address Unknown module name function = 631, address_out = 0x7fee5bad690 True 3
Fn
Get Address Unknown module name function = 581, address_out = 0x7fee5baa6c8 True 3
Fn
Get Address Unknown module name function = 537, address_out = 0x7fee5baad64 True 3
Fn
Get Address Unknown module name function = DuplicateTokenEx, address_out = 0x7fefed9d310 True 1
Fn
Get Address Unknown module name function = 716, address_out = 0x7fee5d824c8 True 3
Fn
Get Address Unknown module name function = 717, address_out = 0x7fee5da48e0 True 3
Fn
Get Address Unknown module name function = CryptAcquireContextA, address_out = 0x7fefed98180 True 1
Fn
Get Address Unknown module name function = CryptCreateHash, address_out = 0x7fefed9dad4 True 1
Fn
Get Address Unknown module name function = CryptDestroyHash, address_out = 0x7fefed9db00 True 1
Fn
Get Address Unknown module name function = CryptHashData, address_out = 0x7fefed9dac0 True 1
Fn
Get Address Unknown module name function = CryptGetHashParam, address_out = 0x7fefed9db20 True 1
Fn
Get Address Unknown module name function = CryptReleaseContext, address_out = 0x7fefed9dd10 True 1
Fn
Get Address Unknown module name function = CryptGenRandom, address_out = 0x7fefed9dc60 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
Keyboard (55)
»
Operation Additional Information Success Count Logfile
Read virtual_key_code = VK_ESCAPE, result_out = 0 True 55
Fn
System (26)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 568, y_out = 449 True 1
Fn
Get Cursor x_out = 1151, y_out = 371 True 1
Fn
Get Time type = System Time, time = 2019-02-17 13:35:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 107578 True 1
Fn
Get Time type = Local Time, time = 2019-02-17 13:35:05 (Local Time) True 5
Fn
Get Time type = System Time, time = 2019-02-17 13:35:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 108857 True 1
Fn
Get Time type = Ticks, time = 279709 True 9
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 3
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = DDRYBUR False 1
Fn
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 676 bytes
Total Data Received 0 bytes
Contacted Host Count 1
Contacted Hosts www.mertsarica.com
HTTP Session #1
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name www.mertsarica.com
Server Port 443
Data Sent 676
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = https, server_name = www.mertsarica.com, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /macro.php True 1
Fn
Send HTTP Request url = https://www.mertsarica.com/macro.php True 2
Fn
Process #2: svchost.exe
0 0
»
Information Value
ID #2
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:40, Reason: RPC Server
Unmonitor End Time: 00:04:34, Reason: Terminated by Timeout
Monitor Duration 00:03:54
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x368
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 768
0x 440
0x 578
0x 764
0x 6D4
0x 660
0x 370
0x 330
0x 184
0x 554
0x 568
0x 420
0x 7E4
0x 7DC
0x 7D8
0x 7D4
0x 784
0x 75C
0x 748
0x 744
0x 738
0x 728
0x 724
0x 71C
0x 700
0x 6FC
0x 6F4
0x 6A8
0x 4C4
0x 488
0x 47C
0x 478
0x 458
0x 444
0x 30C
0x 294
0x 1E0
0x 3F8
0x 3EC
0x 3E0
0x 388
0x 384
0x 380
0x 37C
0x 374
0x 36C
0x B30
0x B5C
0x B60
0x 320
0x 808
0x 818
0x 828
0x 838
0x 848
0x 668
0x 884
0x 8AC
0x 8A0
0x 89C
0x 584
0x A8C
0x 870
0x 874
0x 2AC
0x 114
0x 480
0x 23C
0x 44C
0x 834
0x 844
0x 854
0x 868
0x 888
0x 74C
0x 2EC
0x C4
0x B94
0x 248
0x 944
0x 814
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x00250fff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x00260fff Private Memory rw True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory r True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00517fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000520000 0x00520000 0x006a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x0076ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000770000 0x00770000 0x00b62fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000b70000 0x00b70000 0x00b70fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000b80000 0x00b80000 0x00b80fff Pagefile Backed Memory r True False False -
private_0x0000000000b90000 0x00b90000 0x00b90fff Private Memory rw True False False -
pagefile_0x0000000000ba0000 0x00ba0000 0x00ba1fff Pagefile Backed Memory r True False False -
cversions.2.db 0x00bb0000 0x00bb3fff Memory Mapped File r True False False -
pagefile_0x0000000000bc0000 0x00bc0000 0x00bc1fff Pagefile Backed Memory r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db 0x00bd0000 0x00bfffff Memory Mapped File r True False False -
cversions.2.db 0x00c00000 0x00c03fff Memory Mapped File r True False False -
private_0x0000000000c10000 0x00c10000 0x00c8ffff Private Memory rw True False False -
pagefile_0x0000000000c90000 0x00c90000 0x00c90fff Pagefile Backed Memory rw True False False -
firewallapi.dll.mui 0x00ca0000 0x00cbbfff Memory Mapped File rw False False False -
pagefile_0x0000000000cc0000 0x00cc0000 0x00cc0fff Pagefile Backed Memory r True False False -
private_0x0000000000ce0000 0x00ce0000 0x00d5ffff Private Memory rw True False False -
private_0x0000000000d60000 0x00d60000 0x00ddffff Private Memory rw True False False -
private_0x0000000000de0000 0x00de0000 0x00e5ffff Private Memory rw True False False -
private_0x0000000000e60000 0x00e60000 0x00edffff Private Memory rw True False False -
private_0x0000000000ef0000 0x00ef0000 0x00f6ffff Private Memory rw True False False -
private_0x0000000000f80000 0x00f80000 0x00ffffff Private Memory rw True False False -
private_0x0000000001000000 0x01000000 0x0107ffff Private Memory rw True False False -
sortdefault.nls 0x01080000 0x0134efff Memory Mapped File r False False False -
private_0x0000000001360000 0x01360000 0x013dffff Private Memory rw True False False -
private_0x00000000013f0000 0x013f0000 0x0146ffff Private Memory rw True False False -
private_0x0000000001480000 0x01480000 0x0148ffff Private Memory rw True False False -
private_0x00000000014a0000 0x014a0000 0x0151ffff Private Memory rw True False False -
private_0x0000000001540000 0x01540000 0x015bffff Private Memory rw True False False -
private_0x00000000015f0000 0x015f0000 0x0166ffff Private Memory rw True False False -
private_0x0000000001680000 0x01680000 0x016fffff Private Memory rw True False False -
private_0x0000000001750000 0x01750000 0x017cffff Private Memory rw True False False -
private_0x0000000001800000 0x01800000 0x0187ffff Private Memory rw True False False -
private_0x00000000018b0000 0x018b0000 0x0192ffff Private Memory rw True False False -
private_0x0000000001980000 0x01980000 0x019fffff Private Memory rw True False False -
private_0x0000000001a20000 0x01a20000 0x01a9ffff Private Memory rw True False False -
private_0x0000000001aa0000 0x01aa0000 0x01b9ffff Private Memory rw True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory rw True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x01cb0000 0x01d15fff Memory Mapped File r True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01e7ffff Private Memory rw True False False -
pagefile_0x0000000001e80000 0x01e80000 0x021c2fff Pagefile Backed Memory r True False False -
private_0x00000000021d0000 0x021d0000 0x022cffff Private Memory rw True False False -
private_0x00000000022d0000 0x022d0000 0x0234ffff Private Memory rw True False False -
private_0x0000000002380000 0x02380000 0x023fffff Private Memory rw True False False -
private_0x0000000002400000 0x02400000 0x0247ffff Private Memory rw True False False -
private_0x00000000024a0000 0x024a0000 0x0251ffff Private Memory rw True False False -
private_0x0000000002550000 0x02550000 0x0255ffff Private Memory rw True False False -
private_0x00000000025a0000 0x025a0000 0x0261ffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x026dffff Private Memory rw True False False -
private_0x0000000002720000 0x02720000 0x0279ffff Private Memory rw True False False -
private_0x0000000002830000 0x02830000 0x028affff Private Memory rw True False False -
private_0x0000000002910000 0x02910000 0x0298ffff Private Memory rw True False False -
private_0x00000000029f0000 0x029f0000 0x02a6ffff Private Memory rw True False False -
private_0x0000000002b20000 0x02b20000 0x02b9ffff Private Memory rw True False False -
private_0x0000000002bb0000 0x02bb0000 0x02bbffff Private Memory rw True False False -
private_0x0000000002c60000 0x02c60000 0x02d5ffff Private Memory rw True False False -
private_0x0000000002d60000 0x02d60000 0x02ddffff Private Memory rw True False False -
private_0x0000000002e60000 0x02e60000 0x02f5ffff Private Memory rw True False False -
private_0x0000000003010000 0x03010000 0x0308ffff Private Memory rw True False False -
private_0x00000000030c0000 0x030c0000 0x0313ffff Private Memory rw True False False -
private_0x0000000003140000 0x03140000 0x031bffff Private Memory rw True False False -
private_0x00000000031c0000 0x031c0000 0x0323ffff Private Memory rw True False False -
private_0x0000000003240000 0x03240000 0x032bffff Private Memory rw True False False -
private_0x00000000032e0000 0x032e0000 0x0335ffff Private Memory rw True False False -
private_0x0000000003360000 0x03360000 0x0345ffff Private Memory rw True False False -
private_0x00000000034a0000 0x034a0000 0x0351ffff Private Memory rw True False False -
private_0x00000000035d0000 0x035d0000 0x0364ffff Private Memory rw True False False -
private_0x00000000036b0000 0x036b0000 0x0372ffff Private Memory rw True False False -
private_0x00000000037c0000 0x037c0000 0x0383ffff Private Memory rw True False False -
private_0x0000000003940000 0x03940000 0x03b3ffff Private Memory rw True False False -
private_0x0000000003ba0000 0x03ba0000 0x03c1ffff Private Memory rw True False False -
private_0x0000000003ca0000 0x03ca0000 0x03d1ffff Private Memory rw True False False -
private_0x0000000003d80000 0x03d80000 0x03dfffff Private Memory rw True False False -
private_0x0000000003e60000 0x03e60000 0x03edffff Private Memory rw True False False -
private_0x0000000003f60000 0x03f60000 0x03fdffff Private Memory rw True False False -
private_0x0000000003fe0000 0x03fe0000 0x0405ffff Private Memory rw True False False -
private_0x0000000004070000 0x04070000 0x040effff Private Memory rw True False False -
private_0x0000000004110000 0x04110000 0x0418ffff Private Memory rw True False False -
private_0x0000000004210000 0x04210000 0x0428ffff Private Memory rw True False False -
private_0x00000000042a0000 0x042a0000 0x0431ffff Private Memory rw True False False -
private_0x0000000004360000 0x04360000 0x043dffff Private Memory rw True False False -
pagefile_0x00000000043e0000 0x043e0000 0x044dffff Pagefile Backed Memory rw True False False -
private_0x00000000045c0000 0x045c0000 0x0463ffff Private Memory rw True False False -
private_0x0000000004830000 0x04830000 0x048affff Private Memory rw True False False -
kernel32.dll 0x773c0000 0x774defff Memory Mapped File rwx False False False -
user32.dll 0x774e0000 0x775d9fff Memory Mapped File rwx False False False -
ntdll.dll 0x775e0000 0x77788fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xffaa0000 0xffaaafff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fef5270000 0x7fef527bfff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7fef53d0000 0x7fef53d7fff Memory Mapped File rwx False False False -
tcpipcfg.dll 0x7fef53e0000 0x7fef5421fff Memory Mapped File rwx False False False -
mprapi.dll 0x7fef5430000 0x7fef5469fff Memory Mapped File rwx False False False -
rascfg.dll 0x7fef5470000 0x7fef5489fff Memory Mapped File rwx False False False -
ndiscapcfg.dll 0x7fef5490000 0x7fef549efff Memory Mapped File rwx False False False -
hnetcfg.dll 0x7fef54a0000 0x7fef550afff Memory Mapped File rwx False False False -
resutils.dll 0x7fef5510000 0x7fef5528fff Memory Mapped File rwx False False False -
clusapi.dll 0x7fef5530000 0x7fef557ffff Memory Mapped File rwx False False False -
wbemess.dll 0x7fef55b0000 0x7fef562dfff Memory Mapped File rwx False False False -
ncobjapi.dll 0x7fef5630000 0x7fef5645fff Memory Mapped File rwx False False False -
wmiprvsd.dll 0x7fef5650000 0x7fef570bfff Memory Mapped File rwx False False False -
repdrvfs.dll 0x7fef5710000 0x7fef5782fff Memory Mapped File rwx False False False -
wmiutils.dll 0x7fef5790000 0x7fef57b5fff Memory Mapped File rwx False False False -
nci.dll 0x7fef57c0000 0x7fef57d9fff Memory Mapped File rwx False False False -
netcfgx.dll 0x7fef57e0000 0x7fef5863fff Memory Mapped File rwx False False False -
browser.dll 0x7fef5870000 0x7fef5894fff Memory Mapped File rwx False False False -
wbemcore.dll 0x7fef58a0000 0x7fef59cefff Memory Mapped File rwx False False False -
wdscore.dll 0x7fef59d0000 0x7fef5a16fff Memory Mapped File rwx False False False -
sqmapi.dll 0x7fef5a20000 0x7fef5a61fff Memory Mapped File rwx False False False -
iphlpsvc.dll 0x7fef5a70000 0x7fef5b01fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef5e10000 0x7fef5e95fff Memory Mapped File rwx False False False -
wmisvc.dll 0x7fef5ea0000 0x7fef5edffff Memory Mapped File rwx False False False -
tschannel.dll 0x7fef60c0000 0x7fef60c8fff Memory Mapped File rwx False False False -
vsstrace.dll 0x7fef65d0000 0x7fef65e6fff Memory Mapped File rwx False False False -
vssapi.dll 0x7fef65f0000 0x7fef679ffff Memory Mapped File rwx False False False -
netprofm.dll 0x7fef67d0000 0x7fef6843fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7fef8830000 0x7fef891dfff Memory Mapped File rwx False False False -
taskcomp.dll 0x7fef8df0000 0x7fef8e66fff Memory Mapped File rwx False False False -
ktmw32.dll 0x7fefa810000 0x7fefa819fff Memory Mapped File rwx False False False -
schedsvc.dll 0x7fefa820000 0x7fefa931fff Memory Mapped File rwx False False False -
wiarpc.dll 0x7fefac60000 0x7fefac6efff Memory Mapped File rwx False False False -
fvecerts.dll 0x7fefac70000 0x7fefac78fff Memory Mapped File rwx False False False -
tbs.dll 0x7fefac80000 0x7fefac88fff Memory Mapped File rwx False False False -
fveapi.dll 0x7fefac90000 0x7feface5fff Memory Mapped File rwx False False False -
shsvcs.dll 0x7fefacf0000 0x7fefad4dfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefad50000 0x7fefad67fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefad70000 0x7fefad80fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefae80000 0x7fefaed2fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaff0000 0x7fefaffafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb000000 0x7fefb026fff Memory Mapped File rwx False False False -
sens.dll 0x7fefb030000 0x7fefb043fff Memory Mapped File rwx False False False -
es.dll 0x7fefb060000 0x7fefb0c6fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb0d0000 0x7fefb0dafff Memory Mapped File rwx False False False -
For performance reasons, the remaining 241 entries are omitted.
The remaining entries can be found in flog.txt.
Process #4: wmiprvse.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:47, Reason: RPC Server
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:01:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb64
Parent PID 0x254 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x B68
0x B6C
0x B70
0x B74
0x B78
0x B7C
0x B80
0x B84
0x B88
0x B8C
0x B90
0x B94
0x BC8
0x BCC
0x BD0
0x BD4
0x BD8
0x BDC
0x BE0
0x BE4
0x BE8
0x BEC
0x BF0
0x BF8
0x 6BC
0x 880
0x 87C
0x 878
0x 8B8
0x 3BC
0x 3AC
0x 780
0x 2B0
0x 6F8
0x 708
0x 7A4
0x 7B4
0x 760
0x 85C
0x 8C4
0x 8C0
0x 898
0x 474
0x 570
0x 8F8
0x 8FC
0x 894
0x 4F4
0x 914
0x 91C
0x 920
0x 918
0x 910
0x 90C
0x 908
0x 904
0x 8D4
0x 8D0
0x 8CC
0x 288
0x 640
0x 878
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
pagefile_0x0000000000360000 0x00360000 0x004e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004f0000 0x004f0000 0x00670fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000680000 0x00680000 0x0073ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x00746fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x00751fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000760000 0x00760000 0x00760fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000770000 0x00770000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x00780fff Pagefile Backed Memory r True False False -
private_0x0000000000790000 0x00790000 0x0079ffff Private Memory rw True False False -
pagefile_0x00000000007a0000 0x007a0000 0x007a0fff Pagefile Backed Memory rw True False False -
private_0x00000000007b0000 0x007b0000 0x0082ffff Private Memory rw True False False -
private_0x0000000000830000 0x00830000 0x0092ffff Private Memory rw True False False -
private_0x0000000000930000 0x00930000 0x009affff Private Memory rw True False False -
ff3d.msi 0x00930000 0x00953fff Memory Mapped File r False False False -
private_0x00000000009e0000 0x009e0000 0x00a5ffff Private Memory rw True False False -
sortdefault.nls 0x00a60000 0x00d2efff Memory Mapped File r False False False -
pagefile_0x0000000000d30000 0x00d30000 0x01122fff Pagefile Backed Memory r True False False -
private_0x00000000011b0000 0x011b0000 0x0122ffff Private Memory rw True False False -
private_0x0000000001260000 0x01260000 0x012dffff Private Memory rw True False False -
private_0x00000000012e0000 0x012e0000 0x0135ffff Private Memory rw True False False -
private_0x00000000013b0000 0x013b0000 0x0142ffff Private Memory rw True False False -
private_0x0000000001440000 0x01440000 0x014bffff Private Memory rw True False False -
private_0x00000000014f0000 0x014f0000 0x0156ffff Private Memory rw True False False -
private_0x0000000001580000 0x01580000 0x015fffff Private Memory rw True False False -
1bcb9f.msi 0x01600000 0x020b7fff Memory Mapped File r False False False -
private_0x0000000001620000 0x01620000 0x0169ffff Private Memory rw True False False -
1bcb9f.msi 0x016a0000 0x02157fff Memory Mapped File r False False False -
private_0x00000000016a0000 0x016a0000 0x0179ffff Private Memory rw True False False -
private_0x00000000017f0000 0x017f0000 0x017fffff Private Memory rw True False False -
private_0x0000000001800000 0x01800000 0x018fffff Private Memory rw True False False -
private_0x0000000001910000 0x01910000 0x0191ffff Private Memory rw True False False -
private_0x0000000001a20000 0x01a20000 0x01a9ffff Private Memory rw True False False -
private_0x0000000001b60000 0x01b60000 0x01bdffff Private Memory rwx True False False -
private_0x00000000021a0000 0x021a0000 0x021affff Private Memory rw True False False -
private_0x00000000021b0000 0x021b0000 0x022affff Private Memory rw True False False -
private_0x00000000022c0000 0x022c0000 0x0233ffff Private Memory rw True False False -
private_0x00000000023a0000 0x023a0000 0x0241ffff Private Memory rw True False False -
1bcb9f.msi 0x02420000 0x02e1ffff Memory Mapped File r False False False -
private_0x0000000002420000 0x02420000 0x0251ffff Private Memory rw True False False -
private_0x0000000002520000 0x02520000 0x0271ffff Private Memory rw True False False -
private_0x0000000002720000 0x02720000 0x02b1ffff Private Memory rw True False False -
private_0x0000000002b20000 0x02b20000 0x02c1ffff Private Memory rw True False False -
private_0x0000000002cf0000 0x02cf0000 0x02cfffff Private Memory rw True False False -
pagefile_0x0000000002e20000 0x02e20000 0x03162fff Pagefile Backed Memory r True False False -
private_0x0000000003340000 0x03340000 0x033bffff Private Memory rwx True False False -
msimsg.dll 0x75230000 0x75236fff Memory Mapped File rwx False False False -
kernel32.dll 0x773c0000 0x774defff Memory Mapped File rwx False False False -
user32.dll 0x774e0000 0x775d9fff Memory Mapped File rwx False False False -
ntdll.dll 0x775e0000 0x77788fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
wmiprvse.exe 0xff750000 0xff7aefff Memory Mapped File rwx False False False -
msisip.dll 0x7fee53a0000 0x7fee53aafff Memory Mapped File rwx False False False -
msiprov.dll 0x7fee53b0000 0x7fee5414fff Memory Mapped File rwx False False False -
comctl32.dll 0x7fee6da0000 0x7fee6e3ffff Memory Mapped File rwx False False False -
mscoreei.dll 0x7fee94d0000 0x7fee9568fff Memory Mapped File rwx True False False -
mscoree.dll 0x7fee9570000 0x7fee95defff Memory Mapped File rwx True False False -
ncobjapi.dll 0x7fef5630000 0x7fef5645fff Memory Mapped File rwx False False False -
wmiutils.dll 0x7fef5790000 0x7fef57b5fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef5e10000 0x7fef5e95fff Memory Mapped File rwx False False False -
msi.dll 0x7fef9a00000 0x7fef9d15fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefa5e0000 0x7fefa636fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefb4a0000 0x7fefb4ccfff Memory Mapped File rwx False False False -
fastprox.dll 0x7fefb610000 0x7fefb6f1fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fefb780000 0x7fefb793fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fefb810000 0x7fefb836fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fefb8a0000 0x7fefb8aefff Memory Mapped File rwx False False False -
version.dll 0x7fefc6f0000 0x7fefc6fbfff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefc8b0000 0x7fefc8cafff Memory Mapped File rwx False False False -
userenv.dll 0x7fefc8d0000 0x7fefc8edfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fefca60000 0x7fefcaabfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcb20000 0x7fefcb66fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefce20000 0x7fefce36fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fefcf90000 0x7fefcfb1fff Memory Mapped File rwx False False False -
ncrypt.dll 0x7fefcfc0000 0x7fefd00dfff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd3f0000 0x7fefd414fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd420000 0x7fefd42efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd4d0000 0x7fefd50cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd510000 0x7fefd523fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd530000 0x7fefd53efff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd5d0000 0x7fefd5defff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefd680000 0x7fefd6b9fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd6e0000 0x7fefd74afff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd750000 0x7fefd8b6fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefd900000 0x7fefd94cfff Memory Mapped File rwx False False False -
msctf.dll 0x7fefd970000 0x7fefda78fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefda80000 0x7fefdbacfff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdce0000 0x7fefdcedfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefdcf0000 0x7fefdd60fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd70000 0x7fefde38fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefde40000 0x7fefde47fff Memory Mapped File rwx False False False -
shell32.dll 0x7fefde50000 0x7fefebd7fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefebe0000 0x7fefec0dfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefed90000 0x7fefee6afff Memory Mapped File rwx False False False -
ole32.dll 0x7fefee70000 0x7feff072fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff2e0000 0x7feff37efff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff380000 0x7feff456fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feff4e0000 0x7feff531fff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff540000 0x7feff5a6fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff5b0000 0x7feff648fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff830000 0x7feff84efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff900000 0x7feff900fff Memory Mapped File rwx False False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #5: msiexec.exe
128 0
»
Information Value
ID #5
File Name c:\windows\system32\msiexec.exe
Command Line C:\Windows\system32\msiexec.exe /V
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:49, Reason: RPC Server
Unmonitor End Time: 00:04:34, Reason: Terminated by Timeout
Monitor Duration 00:03:45
OS Process Information
»
Information Value
PID 0xb98
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BC0
0x BBC
0x BB8
0x BB0
0x BAC
0x B9C
0x 3BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
msiexec.exe.mui 0x00060000 0x00060fff Memory Mapped File rw False False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
pagefile_0x0000000000160000 0x00160000 0x0021ffff Pagefile Backed Memory r True False False -
private_0x0000000000220000 0x00220000 0x00220fff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000450000 0x00450000 0x00451fff Pagefile Backed Memory r True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x00830000 0x00afefff Memory Mapped File r False False False -
private_0x0000000000b50000 0x00b50000 0x00bcffff Private Memory rw True False False -
private_0x0000000000bd0000 0x00bd0000 0x00c4ffff Private Memory rw True False False -
private_0x0000000000cb0000 0x00cb0000 0x00d2ffff Private Memory rw True False False -
private_0x0000000000ea0000 0x00ea0000 0x00f1ffff Private Memory rw True False False -
private_0x0000000000f70000 0x00f70000 0x00feffff Private Memory rw True False False -
kernel32.dll 0x773c0000 0x774defff Memory Mapped File rwx False False False -
user32.dll 0x774e0000 0x775d9fff Memory Mapped File rwx False False False -
ntdll.dll 0x775e0000 0x77788fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
msiexec.exe 0xffed0000 0xffef3fff Memory Mapped File rwx True False False -
msi.dll 0x7fef9a00000 0x7fef9d15fff Memory Mapped File rwx True False False -
comctl32.dll 0x7fefc030000 0x7fefc223fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcb20000 0x7fefcb66fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefce20000 0x7fefce36fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd420000 0x7fefd42efff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd510000 0x7fefd523fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd6e0000 0x7fefd74afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefd970000 0x7fefda78fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefda80000 0x7fefdbacfff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdce0000 0x7fefdcedfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefdcf0000 0x7fefdd60fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd70000 0x7fefde38fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefebe0000 0x7fefec0dfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefed90000 0x7fefee6afff Memory Mapped File rwx False False False -
ole32.dll 0x7fefee70000 0x7feff072fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff2e0000 0x7feff37efff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff380000 0x7feff456fff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff540000 0x7feff5a6fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff5b0000 0x7feff648fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff830000 0x7feff84efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff900000 0x7feff900fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
Module (79)
»
Operation Module Additional Information Success Count Logfile
Load Msi.dll base_address = 0x7fef9a00000 True 27
Fn
Get Address c:\windows\system32\kernel32.dll function = SetWaitableTimer, address_out = 0x773c8890 True 1
Fn
Get Address c:\windows\system32\msi.dll function = QueryInstanceCount, address_out = 0x7fef9a1009c True 27
Fn
Get Address c:\windows\system32\msi.dll function = DllGetClassObject, address_out = 0x7fef9a6ebf8 True 24
Fn
System (49)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 48
Fn
Sleep duration = -1 (infinite) False 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image