513813af...b4c8 | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 93/100
Dynamic Analysis Report
Classification: -

513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8 (SHA256)

=UTF-8B2KfZhNmB2YfYp9ix2LMueGxzbQ===.xls

Excel Document

Created at 2019-01-09 08:38:00

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x91c Analysis Target Medium excel.exe "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -
#2 0x410 Child Process Medium regsvr32.exe regsvr32.exe /s /n /u /i:C:\Users\aETAdzjz\AppData\Local\Temp\12-B-366.txt scrobj.dll #1
#3 0x874 Child Process Medium powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -File C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 #2

Behavior Information - Grouped by Category

Process #1: excel.exe
7101 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\excel.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:43, Reason: Analysis Target
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:03:38
OS Process Information
»
Information Value
PID 0x91c
Parent PID 0x39c (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B44
0x B40
0x B3C
0x B38
0x B34
0x B30
0x B24
0x B20
0x AFC
0x AF8
0x A50
0x A4C
0x A30
0x A2C
0x A04
0x 984
0x 980
0x 97C
0x 978
0x 974
0x 970
0x 96C
0x 964
0x 940
0x 93C
0x 938
0x 934
0x 928
0x 924
0x 920
0x BC4
0x BC8
0x BF8
0x 80C
0x 4B4
0x 774
0x BB8
0x 9B8
0x B38
0x BB0
0x 9A8
0x 9E0
0x B0
0x 1E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
pagefile_0x0000000000070000 0x00070000 0x00070fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x00086fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000090000 0x00090000 0x00091fff Pagefile Backed Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c2fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory - True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e2fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f2fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000200000 0x00200000 0x00202fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
locale.nls 0x00310000 0x00376fff Memory Mapped File r False False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01bb0000 0x01e7efff Memory Mapped File r False False False -
pagefile_0x0000000001e80000 0x01e80000 0x02272fff Pagefile Backed Memory r True False False -
private_0x0000000002280000 0x02280000 0x0237ffff Private Memory rw True False False -
pagefile_0x0000000002380000 0x02380000 0x02382fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002390000 0x02390000 0x02392fff Pagefile Backed Memory r True False False -
pagefile_0x00000000023a0000 0x023a0000 0x023a1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000023b0000 0x023b0000 0x023b1fff Pagefile Backed Memory r True False False -
private_0x00000000023c0000 0x023c0000 0x023c0fff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0240ffff Private Memory rw True False False -
pagefile_0x0000000002410000 0x02410000 0x02410fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000002420000 0x02420000 0x02421fff Pagefile Backed Memory r True False False -
index.dat 0x02430000 0x0243bfff Memory Mapped File rw True False False -
private_0x0000000002440000 0x02440000 0x0244ffff Private Memory rw True False False -
private_0x0000000002450000 0x02450000 0x0264ffff Private Memory rw True False False -
index.dat 0x02650000 0x02657fff Memory Mapped File rw True False False -
index.dat 0x02660000 0x0266ffff Memory Mapped File rw True False False -
pagefile_0x0000000002670000 0x02670000 0x02670fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002680000 0x02680000 0x02680fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002690000 0x02690000 0x02694fff Pagefile Backed Memory rw True False False -
private_0x00000000026a0000 0x026a0000 0x026a0fff Private Memory rw True False False -
private_0x00000000026b0000 0x026b0000 0x026bffff Private Memory rw True False False -
private_0x00000000026c0000 0x026c0000 0x0273ffff Private Memory rw True False False -
pagefile_0x0000000002740000 0x02740000 0x0281efff Pagefile Backed Memory r True False False -
pagefile_0x0000000002820000 0x02820000 0x02821fff Pagefile Backed Memory r True False False -
private_0x0000000002830000 0x02830000 0x02830fff Private Memory rw True False False -
private_0x0000000002840000 0x02840000 0x02840fff Private Memory rw True False False -
private_0x0000000002850000 0x02850000 0x02850fff Private Memory rw True False False -
private_0x0000000002860000 0x02860000 0x0295ffff Private Memory rw True False False -
private_0x0000000002960000 0x02960000 0x02960fff Private Memory rw True False False -
private_0x0000000002970000 0x02970000 0x02970fff Private Memory rw True False False -
pagefile_0x0000000002980000 0x02980000 0x02981fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002990000 0x02990000 0x02990fff Pagefile Backed Memory r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x029a0000 0x029bffff Memory Mapped File r True False False -
private_0x00000000029c0000 0x029c0000 0x029cffff Private Memory rw True False False -
pagefile_0x00000000029d0000 0x029d0000 0x029d0fff Pagefile Backed Memory rw True False False -
private_0x00000000029e0000 0x029e0000 0x029e0fff Private Memory rw True False False -
pagefile_0x00000000029f0000 0x029f0000 0x029f0fff Pagefile Backed Memory r True False False -
private_0x0000000002a00000 0x02a00000 0x02a0ffff Private Memory rw True False False -
private_0x0000000002a10000 0x02a10000 0x02a21fff Private Memory rw True False False -
pagefile_0x0000000002a30000 0x02a30000 0x02a31fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002a40000 0x02a40000 0x02a40fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002a50000 0x02a50000 0x02a51fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002a60000 0x02a60000 0x02a60fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002a70000 0x02a70000 0x02a71fff Pagefile Backed Memory r True False False -
private_0x0000000002a80000 0x02a80000 0x02b7ffff Private Memory rw True False False -
xlintl32.dll 0x02b80000 0x03bc7fff Memory Mapped File r False False False -
kernelbase.dll.mui 0x03bd0000 0x03c8ffff Memory Mapped File rw False False False -
private_0x0000000003c90000 0x03c90000 0x03c90fff Private Memory rw True False False -
private_0x0000000003ca0000 0x03ca0000 0x03ca1fff Private Memory rw True False False -
private_0x0000000003cb0000 0x03cb0000 0x03cb0fff Private Memory rw True False False -
private_0x0000000003cc0000 0x03cc0000 0x03dbffff Private Memory rw True False False -
private_0x0000000003dc0000 0x03dc0000 0x03ebffff Private Memory rw True False False -
private_0x0000000003ec0000 0x03ec0000 0x03ec0fff Private Memory rw True False False -
private_0x0000000003ed0000 0x03ed0000 0x03fcffff Private Memory rw True False False -
private_0x0000000003fd0000 0x03fd0000 0x03fe1fff Private Memory rw True False False -
private_0x0000000003ff0000 0x03ff0000 0x03ff0fff Private Memory rw True False False -
private_0x0000000004000000 0x04000000 0x04000fff Private Memory rw True False False -
pagefile_0x0000000004010000 0x04010000 0x04011fff Pagefile Backed Memory r True False False -
private_0x0000000004020000 0x04020000 0x04020fff Private Memory rw True False False -
private_0x0000000004030000 0x04030000 0x04030fff Private Memory rw True False False -
private_0x0000000004040000 0x04040000 0x0413ffff Private Memory rw True False False -
c_1255.nls 0x04140000 0x04150fff Memory Mapped File r False False False -
private_0x0000000004160000 0x04160000 0x04160fff Private Memory rw True False False -
private_0x0000000004170000 0x04170000 0x0426ffff Private Memory rw True False False -
private_0x0000000004270000 0x04270000 0x0436ffff Private Memory rw True False False -
private_0x0000000004370000 0x04370000 0x04370fff Private Memory rw True False False -
private_0x0000000004380000 0x04380000 0x04380fff Private Memory rw True False False -
private_0x0000000004390000 0x04390000 0x04390fff Private Memory rw True False False -
private_0x00000000043a0000 0x043a0000 0x043a0fff Private Memory rw True False False -
private_0x00000000043b0000 0x043b0000 0x043b0fff Private Memory rw True False False -
private_0x00000000043c0000 0x043c0000 0x043c0fff Private Memory rw True False False -
private_0x00000000043d0000 0x043d0000 0x043d0fff Private Memory rw True False False -
private_0x00000000043e0000 0x043e0000 0x043e0fff Private Memory rw True False False -
private_0x00000000043f0000 0x043f0000 0x043f1fff Private Memory rw True False False -
private_0x0000000004400000 0x04400000 0x04401fff Private Memory rw True False False -
private_0x0000000004410000 0x04410000 0x04410fff Private Memory rw True False False -
private_0x0000000004420000 0x04420000 0x04421fff Private Memory rw True False False -
cversions.2.db 0x04430000 0x04433fff Memory Mapped File r True False False -
private_0x0000000004440000 0x04440000 0x04441fff Private Memory rw True False False -
cversions.2.db 0x04450000 0x04453fff Memory Mapped File r True False False -
private_0x0000000004460000 0x04460000 0x04460fff Private Memory rw True False False -
seguisb.ttf 0x04470000 0x044d3fff Memory Mapped File r False False False -
segoeui.ttf 0x044e0000 0x0455efff Memory Mapped File r False False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db 0x04560000 0x0458ffff Memory Mapped File r True False False -
pagefile_0x0000000004590000 0x04590000 0x04591fff Pagefile Backed Memory r True False False -
comdlg32.dll.mui 0x045a0000 0x045acfff Memory Mapped File rw False False False -
pagefile_0x00000000045b0000 0x045b0000 0x045b1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000045c0000 0x045c0000 0x045c1fff Pagefile Backed Memory r True False False -
private_0x00000000045d0000 0x045d0000 0x0464ffff Private Memory rw True False False -
pagefile_0x0000000004650000 0x04650000 0x04651fff Pagefile Backed Memory r True False False -
private_0x0000000004660000 0x04660000 0x04662fff Private Memory rw True False False -
private_0x0000000004670000 0x04670000 0x04672fff Private Memory rw True False False -
private_0x0000000004680000 0x04680000 0x04682fff Private Memory rw True False False -
private_0x0000000004690000 0x04690000 0x04692fff Private Memory rw True False False -
pagefile_0x00000000046a0000 0x046a0000 0x046a1fff Pagefile Backed Memory rw True False False -
private_0x00000000046b0000 0x046b0000 0x046b0fff Private Memory rw True False False -
private_0x00000000046c0000 0x046c0000 0x046c0fff Private Memory rw True False False -
private_0x00000000046d0000 0x046d0000 0x0474ffff Private Memory rwx True False False -
pagefile_0x0000000004750000 0x04750000 0x04b4ffff Pagefile Backed Memory r True False False -
private_0x0000000004b50000 0x04b50000 0x04f4ffff Private Memory rw True False False -
private_0x0000000004f50000 0x04f50000 0x04f50fff Private Memory rw True False False -
private_0x0000000004f60000 0x04f60000 0x04f60fff Private Memory rw True False False -
private_0x0000000004f70000 0x04f70000 0x0506ffff Private Memory rw True False False -
private_0x0000000005070000 0x05070000 0x0516ffff Private Memory rw True False False -
private_0x0000000005170000 0x05170000 0x05170fff Private Memory rw True False False -
private_0x0000000005180000 0x05180000 0x05181fff Private Memory rw True False False -
private_0x0000000005190000 0x05190000 0x05190fff Private Memory rw True False False -
private_0x00000000051a0000 0x051a0000 0x051affff Private Memory rw True False False -
private_0x00000000051b0000 0x051b0000 0x051b0fff Private Memory rw True False False -
private_0x00000000051c0000 0x051c0000 0x051c1fff Private Memory rw True False False -
private_0x00000000051d0000 0x051d0000 0x052cffff Private Memory rw True False False -
private_0x00000000052d0000 0x052d0000 0x053cffff Private Memory rw True False False -
pagefile_0x00000000053d0000 0x053d0000 0x05712fff Pagefile Backed Memory r True False False -
private_0x0000000005720000 0x05720000 0x05720fff Private Memory rw True False False -
private_0x0000000005730000 0x05730000 0x05730fff Private Memory rw True False False -
private_0x0000000005740000 0x05740000 0x05741fff Private Memory rw True False False -
private_0x0000000005750000 0x05750000 0x05750fff Private Memory rw True False False -
private_0x0000000005760000 0x05760000 0x05760fff Private Memory rw True False False -
private_0x0000000005770000 0x05770000 0x0586ffff Private Memory rw True False False -
private_0x0000000005870000 0x05870000 0x058effff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x058f0000 0x05955fff Memory Mapped File r True False False -
pagefile_0x0000000005960000 0x05960000 0x05961fff Pagefile Backed Memory r True False False -
cversions.2.db 0x05970000 0x05973fff Memory Mapped File r True False False -
private_0x0000000005980000 0x05980000 0x05980fff Private Memory rw True False False -
private_0x0000000005990000 0x05990000 0x05990fff Private Memory rw True False False -
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db 0x059a0000 0x059a0fff Memory Mapped File r True False False -
For performance reasons, the remaining 431 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 17.76 KB MD5: e6d55fffc72e853d24440ef89e216611
SHA1: 293a8817bc2e35ad4db630dd58dc8229523ac252
SHA256: 93a530e6d04e88730fd787d31f9a8e69fcbae3a14ba650008d1b5712ecb2cfb2
SSDeep: 384:LOi5Zg5RQ60lRrUbLmagfOypXquFGRawwha5gCvZQ28kS4n:Lh57lRruLm1dGRNw05gAZR86n
False
c:\users\aetadzjz\appdata\local\temp\12-b-366.txt 0.36 KB MD5: ce86eb5b2736c66df0af4dd826d4dd55
SHA1: 17d630f02db15facff4e0acd56f3559b092df81f
SHA256: b2c99d88252ab0b9ab4be05290afaaa8e64bbcd9292dfe07cef905b2f37e5d33
SSDeep: 6:RlS0tu4oQ+KmWP+GGJ7vuYOMiUXZrlNHsnyLmyCpYOaoNkDv5NrjSTptZAB/MGni:Rlz9T16GgrXsnF/E5N3rMG4wI
False
Host Behavior
COM (3)
»
Operation Class Interface Additional Information Success Count Logfile
Create WScript.Shell IUnknown cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create Scripting.FileSystemObject IUnknown cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 2
Fn
Registry (59)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\Licenses - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Read Value HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 data = } False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = RequireDeclaration, data = 66, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 data = C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 data = C:\Windows\system32\stdole2.tlb True 2
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = VbaCapability, data = 48 False 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create regsvr32.exe /s /n /u /i:C:\Users\aETAdzjz\AppData\Local\Temp\12-B-366.txt scrobj.dll os_pid = 0x410, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (161)
»
Operation Module Additional Information Success Count Logfile
Load Comctl32.dll base_address = 0x7fefc690000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x7fee4fe0000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL base_address = 0x7fee6090000 True 1
Fn
Load OLEAUT32.DLL base_address = 0x7feffd80000 True 1
Fn
Load VBE7.DLL base_address = 0x7fee5280000 True 9
Fn
Load ADVAPI32.DLL base_address = 0x7feff0e0000 True 1
Fn
Get Handle Unknown module name base_address = 0x13f860000 True 1
Fn
Get Handle MSI.DLL base_address = 0x7fefa750000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Handle USER32 base_address = 0x77a20000 True 1
Fn
Get Handle oleaut32.dll base_address = 0x7feffd80000 True 1
Fn
Get Filename - process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 3
Fn
Get Address Unknown module name function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c True 1
Fn
Get Address Unknown module name function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c True 1
Fn
Get Address Unknown module name function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 True 1
Fn
Get Address Unknown module name function = MsiProvideComponentA, address_out = 0x7fefa7cf088 True 1
Fn
Get Address Unknown module name function = MsoVBADigSigCallDlg, address_out = 0x7fee50e72c0 True 1
Fn
Get Address Unknown module name function = MsoVbaInitSecurity, address_out = 0x7fee50560b0 True 1
Fn
Get Address Unknown module name function = MsoFIEPolicyAndVersion, address_out = 0x7fee5001a60 True 1
Fn
Get Address Unknown module name function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee5055f50 True 1
Fn
Get Address Unknown module name function = MsoFInitOffice, address_out = 0x7fee4fff000 True 1
Fn
Get Address Unknown module name function = MsoUninitOffice, address_out = 0x7fee4fee860 True 1
Fn
Get Address Unknown module name function = MsoFGetFontSettings, address_out = 0x7fee4fe3fc0 True 1
Fn
Get Address Unknown module name function = MsoRgchToRgwch, address_out = 0x7fee4ff2380 True 1
Fn
Get Address Unknown module name function = MsoHrSimpleQueryInterface, address_out = 0x7fee4fe7b80 True 1
Fn
Get Address Unknown module name function = MsoHrSimpleQueryInterface2, address_out = 0x7fee4fe7b20 True 1
Fn
Get Address Unknown module name function = MsoFCreateControl, address_out = 0x7fee4fe8730 True 1
Fn
Get Address Unknown module name function = MsoFLongLoad, address_out = 0x7fee5123260 True 1
Fn
Get Address Unknown module name function = MsoFLongSave, address_out = 0x7fee5123280 True 1
Fn
Get Address Unknown module name function = MsoFGetTooltips, address_out = 0x7fee4ff1f40 True 1
Fn
Get Address Unknown module name function = MsoFSetTooltips, address_out = 0x7fee5056370 True 1
Fn
Get Address Unknown module name function = MsoFLoadToolbarSet, address_out = 0x7fee5044590 True 1
Fn
Get Address Unknown module name function = MsoFCreateToolbarSet, address_out = 0x7fee4fe55b0 True 1
Fn
Get Address Unknown module name function = MsoHpalOffice, address_out = 0x7fee4ff0240 True 1
Fn
Get Address Unknown module name function = MsoFWndProcNeeded, address_out = 0x7fee4fe3d10 True 1
Fn
Get Address Unknown module name function = MsoFWndProc, address_out = 0x7fee4fe6d30 True 1
Fn
Get Address Unknown module name function = MsoFCreateITFCHwnd, address_out = 0x7fee4fe3d40 True 1
Fn
Get Address Unknown module name function = MsoDestroyITFC, address_out = 0x7fee4fee6f0 True 1
Fn
Get Address Unknown module name function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee4fedf40 True 1
Fn
Get Address Unknown module name function = MsoFGetComponentManager, address_out = 0x7fee4fe7bf0 True 1
Fn
Get Address Unknown module name function = MsoMultiByteToWideChar, address_out = 0x7fee4fefcd0 True 1
Fn
Get Address Unknown module name function = MsoWideCharToMultiByte, address_out = 0x7fee4fe8b20 True 1
Fn
Get Address Unknown module name function = MsoHrRegisterAll, address_out = 0x7fee50e2ef0 True 1
Fn
Get Address Unknown module name function = MsoFSetComponentManager, address_out = 0x7fee4ff42c0 True 1
Fn
Get Address Unknown module name function = MsoFCreateStdComponentManager, address_out = 0x7fee4fe3e20 True 1
Fn
Get Address Unknown module name function = MsoFHandledMessageNeeded, address_out = 0x7fee4feab10 True 1
Fn
Get Address Unknown module name function = MsoPeekMessage, address_out = 0x7fee4fea7d0 True 1
Fn
Get Address Unknown module name function = MsoFCreateIPref, address_out = 0x7fee4fe1550 True 1
Fn
Get Address Unknown module name function = MsoDestroyIPref, address_out = 0x7fee4fee830 True 1
Fn
Get Address Unknown module name function = MsoChsFromLid, address_out = 0x7fee4fe13d0 True 1
Fn
Get Address Unknown module name function = MsoCpgFromChs, address_out = 0x7fee4fe6660 True 1
Fn
Get Address Unknown module name function = MsoSetLocale, address_out = 0x7fee4fe1500 True 1
Fn
Get Address Unknown module name function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee4fe3dd0 True 1
Fn
Get Address Unknown module name function = MsoSetVbaInterfaces, address_out = 0x7fee50e71e0 True 1
Fn
Get Address Unknown module name function = MsoGetControlInstanceId, address_out = 0x7fee50b6d10 True 1
Fn
Get Address Unknown module name function = VbeuiFIsEdpEnabled, address_out = 0x7fee51298e0 True 1
Fn
Get Address Unknown module name function = VbeuiEnterpriseProtect, address_out = 0x7fee5129830 True 1
Fn
Get Address Unknown module name function = SysFreeString, address_out = 0x7feffd81320 True 1
Fn
Get Address Unknown module name function = LoadTypeLib, address_out = 0x7feffd8f1e0 True 1
Fn
Get Address Unknown module name function = RegisterTypeLib, address_out = 0x7feffddcaa0 True 1
Fn
Get Address Unknown module name function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 True 1
Fn
Get Address Unknown module name function = UnRegisterTypeLib, address_out = 0x7feffe120d0 True 2
Fn
Get Address Unknown module name function = OleTranslateColor, address_out = 0x7feffdac760 True 1
Fn
Get Address Unknown module name function = OleCreateFontIndirect, address_out = 0x7feffddecd0 True 1
Fn
Get Address Unknown module name function = OleCreatePictureIndirect, address_out = 0x7feffdde840 True 1
Fn
Get Address Unknown module name function = OleLoadPicture, address_out = 0x7feffdef420 True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrame, address_out = 0x7feffde9350 True 1
Fn
Get Address Unknown module name function = OleIconToCursor, address_out = 0x7feffdb6e40 True 1
Fn
Get Address Unknown module name function = LoadTypeLibEx, address_out = 0x7feffd8a550 True 2
Fn
Get Address Unknown module name function = OleLoadPictureEx, address_out = 0x7feffdef320 True 1
Fn
Get Address Unknown module name function = GetSystemMetrics, address_out = 0x77a394f0 True 1
Fn
Get Address Unknown module name function = MonitorFromWindow, address_out = 0x77a35f08 True 1
Fn
Get Address Unknown module name function = MonitorFromRect, address_out = 0x77a32b00 True 1
Fn
Get Address Unknown module name function = MonitorFromPoint, address_out = 0x77a2ab64 True 1
Fn
Get Address Unknown module name function = EnumDisplayMonitors, address_out = 0x77a35c30 True 1
Fn
Get Address Unknown module name function = GetMonitorInfoA, address_out = 0x77a2a730 True 1
Fn
Get Address Unknown module name function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 True 1
Fn
Get Address Unknown module name function = DispCallFunc, address_out = 0x7feffd82270 True 1
Fn
Get Address Unknown module name function = CreateTypeLib2, address_out = 0x7feffe0dbd0 True 1
Fn
Get Address Unknown module name function = VarDateFromUdate, address_out = 0x7feffd85c90 True 1
Fn
Get Address Unknown module name function = VarUdateFromDate, address_out = 0x7feffd86330 True 1
Fn
Get Address Unknown module name function = GetAltMonthNames, address_out = 0x7feffda66c0 True 1
Fn
Get Address Unknown module name function = VarNumFromParseNum, address_out = 0x7feffd84710 True 1
Fn
Get Address Unknown module name function = VarParseNumFromStr, address_out = 0x7feffd848f0 True 1
Fn
Get Address Unknown module name function = VarDecFromR4, address_out = 0x7feffdbb640 True 1
Fn
Get Address Unknown module name function = VarDecFromR8, address_out = 0x7feffdbb360 True 1
Fn
Get Address Unknown module name function = VarDecFromDate, address_out = 0x7feffdc2640 True 1
Fn
Get Address Unknown module name function = VarDecFromI4, address_out = 0x7feffda58a0 True 1
Fn
Get Address Unknown module name function = VarDecFromCy, address_out = 0x7feffda5820 True 1
Fn
Get Address Unknown module name function = VarR4FromDec, address_out = 0x7feffdbaf20 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 True 1
Fn
Get Address Unknown module name function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 True 1
Fn
Get Address Unknown module name function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 True 1
Fn
Get Address Unknown module name function = SafeArrayGetIID, address_out = 0x7feffda5a60 True 1
Fn
Get Address Unknown module name function = SafeArraySetIID, address_out = 0x7feffda5a30 True 1
Fn
Get Address Unknown module name function = SafeArrayCopyData, address_out = 0x7feffd860b0 True 1
Fn
Get Address Unknown module name function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 True 1
Fn
Get Address Unknown module name function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 True 1
Fn
Get Address Unknown module name function = VarFormat, address_out = 0x7feffe09b20 True 1
Fn
Get Address Unknown module name function = VarFormatDateTime, address_out = 0x7feffe09aa0 True 1
Fn
Get Address Unknown module name function = VarFormatNumber, address_out = 0x7feffe09990 True 1
Fn
Get Address Unknown module name function = VarFormatPercent, address_out = 0x7feffe09890 True 1
Fn
Get Address Unknown module name function = VarFormatCurrency, address_out = 0x7feffe09770 True 1
Fn
Get Address Unknown module name function = VarWeekdayName, address_out = 0x7feffdeb8d0 True 1
Fn
Get Address Unknown module name function = VarMonthName, address_out = 0x7feffdeb800 True 1
Fn
Get Address Unknown module name function = VarAdd, address_out = 0x7feffe048e0 True 1
Fn
Get Address Unknown module name function = VarAnd, address_out = 0x7feffe09470 True 1
Fn
Get Address Unknown module name function = VarCat, address_out = 0x7feffe096a0 True 1
Fn
Get Address Unknown module name function = VarDiv, address_out = 0x7feffe02fe0 True 1
Fn
Get Address Unknown module name function = VarEqv, address_out = 0x7feffe09cf0 True 1
Fn
Get Address Unknown module name function = VarIdiv, address_out = 0x7feffe08ff0 True 1
Fn
Get Address Unknown module name function = VarImp, address_out = 0x7feffe09c00 True 1
Fn
Get Address Unknown module name function = VarMod, address_out = 0x7feffe08e60 True 1
Fn
Get Address Unknown module name function = VarMul, address_out = 0x7feffe03690 True 1
Fn
Get Address Unknown module name function = VarOr, address_out = 0x7feffe092d0 True 1
Fn
Get Address Unknown module name function = VarPow, address_out = 0x7feffe02e80 True 1
Fn
Get Address Unknown module name function = VarSub, address_out = 0x7feffe03f90 True 1
Fn
Get Address Unknown module name function = VarXor, address_out = 0x7feffe091a0 True 1
Fn
Get Address Unknown module name function = VarAbs, address_out = 0x7feffde7c30 True 1
Fn
Get Address Unknown module name function = VarFix, address_out = 0x7feffde7a60 True 1
Fn
Get Address Unknown module name function = VarInt, address_out = 0x7feffde7890 True 1
Fn
Get Address Unknown module name function = VarNeg, address_out = 0x7feffde7ea0 True 1
Fn
Get Address Unknown module name function = VarNot, address_out = 0x7feffe09600 True 1
Fn
Get Address Unknown module name function = VarRound, address_out = 0x7feffde76a0 True 1
Fn
Get Address Unknown module name function = VarCmp, address_out = 0x7feffe083f0 True 1
Fn
Get Address Unknown module name function = VarDecAdd, address_out = 0x7feffdb3070 True 1
Fn
Get Address Unknown module name function = VarDecCmp, address_out = 0x7feffdbd700 True 1
Fn
Get Address Unknown module name function = VarBstrCat, address_out = 0x7feffdbd890 True 1
Fn
Get Address Unknown module name function = VarCyMulI4, address_out = 0x7feffd9caf0 True 1
Fn
Get Address Unknown module name function = VarBstrCmp, address_out = 0x7feffda8a00 True 1
Fn
Get Address Unknown module name address_out = 0x7fee4fefcd0 True 1
Fn
Get Address Unknown module name function = 716, address_out = 0x7fee55c24c8 True 3
Fn
Get Address Unknown module name function = 712, address_out = 0x7fee5609db0 True 3
Fn
Get Address Unknown module name function = 600, address_out = 0x7fee5384ee0 True 3
Fn
Get Address Unknown module name function = CryptAcquireContextA, address_out = 0x7feff0e8180 True 1
Fn
Get Address Unknown module name function = CryptCreateHash, address_out = 0x7feff0edad4 True 1
Fn
Get Address Unknown module name function = CryptDestroyHash, address_out = 0x7feff0edb00 True 1
Fn
Get Address Unknown module name function = CryptHashData, address_out = 0x7feff0edac0 True 1
Fn
Get Address Unknown module name function = CryptGetHashParam, address_out = 0x7feff0edb20 True 1
Fn
Get Address Unknown module name function = CryptReleaseContext, address_out = 0x7feff0edd10 True 1
Fn
Get Address Unknown module name function = CryptGenRandom, address_out = 0x7feff0edc60 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
Keyboard (31)
»
Operation Additional Information Success Count Logfile
Read virtual_key_code = VK_ESCAPE, result_out = 0 True 31
Fn
System (23)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 658, y_out = 497 True 1
Fn
Get Cursor x_out = 430, y_out = 397 True 1
Fn
Get Time type = System Time, time = 1627-02-16 11:02:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 179198 True 1
Fn
Get Time type = Local Time, time = 2019-01-09 08:40:51 (Local Time) True 4
Fn
Get Time type = Local Time, time = 2019-01-09 08:40:52 (Local Time) True 1
Fn
Get Time type = Local Time, time = 2019-01-09 08:40:53 (Local Time) True 1
Fn
Get Time type = Ticks, time = 350222 True 9
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = DDRYBUR False 1
Fn
Process #2: regsvr32.exe
39 0
»
Information Value
ID #2
File Name c:\windows\system32\regsvr32.exe
Command Line regsvr32.exe /s /n /u /i:C:\Users\aETAdzjz\AppData\Local\Temp\12-B-366.txt scrobj.dll
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:02:26, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:02:55
OS Process Information
»
Information Value
PID 0x410
Parent PID 0x91c (c:\program files\microsoft office\root\office16\excel.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 834
0x 828
0x 84C
0x 854
0x 850
0x 848
0x 844
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
regsvr32.exe.mui 0x000d0000 0x000d1fff Memory Mapped File rw False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000110000 0x00110000 0x00111fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x00130000 0x00174fff Memory Mapped File r False False False -
wshom.ocx 0x00130000 0x00143fff Memory Mapped File r False False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x00170000 0x00170fff Memory Mapped File r False False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
cversions.2.db 0x00310000 0x00313fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x00320000 0x0033ffff Memory Mapped File r True False False -
pagefile_0x0000000000340000 0x00340000 0x00340fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x00350000 0x00353fff Memory Mapped File r True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db 0x005f0000 0x0061ffff Memory Mapped File r True False False -
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory rw True False False -
pagefile_0x0000000000650000 0x00650000 0x007d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007e0000 0x007e0000 0x01bdffff Pagefile Backed Memory r True False False -
rpcss.dll 0x01be0000 0x01c5cfff Memory Mapped File r False False False -
private_0x0000000001be0000 0x01be0000 0x01dfffff Private Memory rw True False False -
pagefile_0x0000000001be0000 0x01be0000 0x01cbefff Pagefile Backed Memory r True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
sortdefault.nls 0x01e00000 0x020cefff Memory Mapped File r False False False -
private_0x00000000020f0000 0x020f0000 0x0216ffff Private Memory rw True False False -
private_0x00000000021b0000 0x021b0000 0x0222ffff Private Memory rw True False False -
private_0x0000000002250000 0x02250000 0x022cffff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x022d0000 0x02335fff Memory Mapped File r True False False -
private_0x0000000002370000 0x02370000 0x023effff Private Memory rw True False False -
pagefile_0x00000000023f0000 0x023f0000 0x027e2fff Pagefile Backed Memory r True False False -
private_0x0000000002800000 0x02800000 0x0287ffff Private Memory rw True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
psapi.dll 0x77e00000 0x77e06fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
regsvr32.exe 0xff670000 0xff677fff Memory Mapped File rwx True False False -
jscript.dll 0x7fee5ef0000 0x7fee5fd2fff Memory Mapped File rwx True False False -
scrobj.dll 0x7fee5fe0000 0x7fee601bfff Memory Mapped File rwx False False False -
scrrun.dll 0x7fee6020000 0x7fee6053fff Memory Mapped File rwx False False False -
wshom.ocx 0x7fee6060000 0x7fee6087fff Memory Mapped File rwx False False False -
oleacc.dll 0x7fef3ed0000 0x7fef3f23fff Memory Mapped File rwx False False False -
ieframe.dll 0x7fef3f30000 0x7fef4ae6fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefb340000 0x7fefb396fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb570000 0x7fefb587fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefbb00000 0x7fefbb2cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefc4b0000 0x7fefc505fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc510000 0x7fefc63bfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc690000 0x7fefc883fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd50000 0x7fefcd5bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd180000 0x7fefd1c6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd480000 0x7fefd496fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda50000 0x7fefda74fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda80000 0x7fefda8efff Memory Mapped File rwx False False False -
sxs.dll 0x7fefda90000 0x7fefdb20fff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb70000 0x7fefdb83fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefdb90000 0x7fefdb9efff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefdc30000 0x7fefdc3efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdce0000 0x7fefdd15fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
devobj.dll 0x7fefddd0000 0x7fefdde9fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefddf0000 0x7fefdf56fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
shell32.dll 0x7fefdfd0000 0x7fefed57fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
iertutil.dll 0x7fefee80000 0x7feff0d8fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0e0000 0x7feff1bafff Memory Mapped File rwx False False False -
sechost.dll 0x7feff1c0000 0x7feff1defff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff2f0000 0x7feff4c6fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff640000 0x7feff6b0fff Memory Mapped File rwx False False False -
urlmon.dll 0x7feff6e0000 0x7feff857fff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
wininet.dll 0x7feff870000 0x7feff999fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff9a0000 0x7feffa38fff Memory Mapped File rwx False False False -
ole32.dll 0x7feffa40000 0x7feffc42fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feffc50000 0x7feffd7cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feffd80000 0x7feffe56fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feffe60000 0x7feffeb1fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
COM (3)
»
Operation Class Interface Additional Information Success Count Logfile
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CLASSES_ROOT\.dll - True 1
Fn
Open Key HKEY_CLASSES_ROOT\dllfile - True 1
Fn
Open Key HKEY_CLASSES_ROOT\dllfile\AutoRegister - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_CLASSES_ROOT\.dll data = dllfile True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create powershell.exe -noexit -exec bypass -File C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 - False 1
Fn
Module (16)
»
Operation Module Additional Information Success Count Logfile
Load scrobj.dll base_address = 0x7fee5fe0000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7feff0e0000 True 1
Fn
Load ole32.dll base_address = 0x7feffa40000 True 1
Fn
Get Handle c:\windows\system32\regsvr32.exe base_address = 0xff670000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7feffa40000 True 2
Fn
Get Filename - process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\Windows\system32\regsvr32.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\scrobj.dll function = DllInstall, address_out = 0x7fee5fee7a8 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x77c5f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff0fb5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff0fc480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff100710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7feffa5c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7feffa67490 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7feffa5a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7feffa72e18 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-16 11:02:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 181787 True 1
Fn
Get Time type = System Time, time = 1627-02-16 11:02:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 183581 True 1
Fn
Get Time type = Ticks, time = 183722 True 1
Fn
Get Time type = Ticks, time = 183800 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #3: powershell.exe
846 0
»
Information Value
ID #3
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -File C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:02:30, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:02:51
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x410 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 57C
0x 86C
0x 868
0x 864
0x 860
0x 85C
0x 9AC
0x A7C
0x A88
0x 754
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
powershell.exe.mui 0x00070000 0x00072fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory r True False False -
cversions.2.db 0x001e0000 0x001e3fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x001f0000 0x0020ffff Memory Mapped File r True False False -
pagefile_0x0000000000210000 0x00210000 0x00210fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x00220000 0x00223fff Memory Mapped File r True False False -
pagefile_0x0000000000230000 0x00230000 0x00230fff Pagefile Backed Memory r True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db 0x00440000 0x0046ffff Memory Mapped File r True False False -
pagefile_0x0000000000470000 0x00470000 0x00472fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00480fff Pagefile Backed Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
private_0x0000000001bd0000 0x01bd0000 0x01ccffff Private Memory rw True False False -
pagefile_0x0000000001cd0000 0x01cd0000 0x01daefff Pagefile Backed Memory r True False False -
private_0x0000000001db0000 0x01db0000 0x01dbffff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x01dc0000 0x01e25fff Memory Mapped File r True False False -
l_intl.nls 0x01e30000 0x01e32fff Memory Mapped File r False False False -
private_0x0000000001e40000 0x01e40000 0x01e5ffff Private Memory - True False False -
private_0x0000000001e60000 0x01e60000 0x01e60fff Private Memory rw True False False -
sorttbls.nlp 0x01e70000 0x01e74fff Memory Mapped File r False False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rwx True False False -
microsoft.wsman.runtime.dll 0x01f00000 0x01f07fff Memory Mapped File rwx False False False -
pagefile_0x0000000001f10000 0x01f10000 0x01f10fff Pagefile Backed Memory r True False False -
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory rw True False False -
private_0x0000000001fa0000 0x01fa0000 0x0209ffff Private Memory rw True False False -
private_0x00000000020a0000 0x020a0000 0x0211ffff Private Memory rw True False False -
sortdefault.nls 0x02120000 0x023eefff Memory Mapped File r False False False -
sortkey.nlp 0x023f0000 0x02430fff Memory Mapped File r False False False -
pagefile_0x0000000002440000 0x02440000 0x02440fff Pagefile Backed Memory r True False False -
private_0x0000000002450000 0x02450000 0x024cffff Private Memory rw True False False -
pagefile_0x00000000024d0000 0x024d0000 0x028c2fff Pagefile Backed Memory r True False False -
private_0x0000000002900000 0x02900000 0x0297ffff Private Memory rw True False False -
private_0x0000000002980000 0x02980000 0x02a80fff Private Memory rw True False False -
mscorrc.dll 0x02a90000 0x02ae3fff Memory Mapped File r True False False -
private_0x0000000002b10000 0x02b10000 0x02b8ffff Private Memory rwx True False False -
private_0x0000000002c10000 0x02c10000 0x02c8ffff Private Memory rw True False False -
private_0x0000000002d20000 0x02d20000 0x02d2ffff Private Memory rw True False False -
private_0x0000000002d30000 0x02d30000 0x1ad2ffff Private Memory rw True False False -
private_0x000000001ad30000 0x1ad30000 0x1b3fffff Private Memory rw True False False -
kernelbase.dll.mui 0x1b400000 0x1b4bffff Memory Mapped File rw False False False -
private_0x000000001b500000 0x1b500000 0x1b57ffff Private Memory rw True False False -
system.management.automation.dll 0x1b580000 0x1b861fff Memory Mapped File rwx False False False -
private_0x000000001b870000 0x1b870000 0x1b96ffff Private Memory rw True False False -
system.transactions.dll 0x1e230000 0x1e278fff Memory Mapped File rwx False False False -
msvcr80.dll 0x756a0000 0x75768fff Memory Mapped File rwx False False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
psapi.dll 0x77e00000 0x77e06fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
powershell.exe 0x13f790000 0x13f806fff Memory Mapped File rwx False False False -
culture.dll 0x642ff4a0000 0x642ff4a9fff Memory Mapped File rwx True False False -
system.directoryservices.ni.dll 0x7fee0d70000 0x7fee0f04fff Memory Mapped File rwx True False False -
system.management.ni.dll 0x7fee0f10000 0x7fee107bfff Memory Mapped File rwx True False False -
system.xml.ni.dll 0x7fee1080000 0x7fee1724fff Memory Mapped File rwx True False False -
mscorjit.dll 0x7fee1730000 0x7fee18b3fff Memory Mapped File rwx True False False -
microsoft.powershell.security.ni.dll 0x7fee18c0000 0x7fee18fdfff Memory Mapped File rwx True False False -
microsoft.powershell.commands.management.ni.dll 0x7fee1900000 0x7fee1a17fff Memory Mapped File rwx True False False -
microsoft.powershell.commands.utility.ni.dll 0x7fee1a20000 0x7fee1c35fff Memory Mapped File rwx True False False -
system.transactions.ni.dll 0x7fee1c40000 0x7fee1d24fff Memory Mapped File rwx True False False -
microsoft.wsman.management.ni.dll 0x7fee1d30000 0x7fee1dd9fff Memory Mapped File rwx True False False -
system.core.ni.dll 0x7fee1de0000 0x7fee210dfff Memory Mapped File rwx True False False -
system.management.automation.ni.dll 0x7fee2110000 0x7fee2c6cfff Memory Mapped File rwx True False False -
microsoft.powershell.consolehost.ni.dll 0x7fee2c70000 0x7fee2d21fff Memory Mapped File rwx True False False -
system.ni.dll 0x7fee2d30000 0x7fee3752fff Memory Mapped File rwx True False False -
mscorlib.ni.dll 0x7fee3760000 0x7fee463bfff Memory Mapped File rwx True False False -
mscorwks.dll 0x7fee4640000 0x7fee4fdcfff Memory Mapped File rwx True False False -
system.configuration.install.ni.dll 0x7fee5e40000 0x7fee5e71fff Memory Mapped File rwx True False False -
microsoft.powershell.commands.diagnostics.ni.dll 0x7fee5e80000 0x7fee5ee8fff Memory Mapped File rwx True False False -
shfolder.dll 0x7fee62b0000 0x7fee62b6fff Memory Mapped File rwx False False False -
mscoreei.dll 0x7fee9c90000 0x7fee9d28fff Memory Mapped File rwx True False False -
mscoree.dll 0x7fef3140000 0x7fef31aefff Memory Mapped File rwx True False False -
linkinfo.dll 0x7fef8e40000 0x7fef8e4bfff Memory Mapped File rwx False False False -
shdocvw.dll 0x7fef8e50000 0x7fef8e83fff Memory Mapped File rwx False False False -
ntshrui.dll 0x7fef9b40000 0x7fef9bbffff Memory Mapped File rwx False False False -
cscapi.dll 0x7fef9bc0000 0x7fef9bcefff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefb340000 0x7fefb396fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb730000 0x7fefb73afff Memory Mapped File rwx False False False -
atl.dll 0x7fefb760000 0x7fefb778fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefbb00000 0x7fefbb2cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefc4b0000 0x7fefc505fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc510000 0x7fefc63bfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc690000 0x7fefc883fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd50000 0x7fefcd5bfff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcf30000 0x7fefcf4dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd180000 0x7fefd1c6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd480000 0x7fefd496fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd980000 0x7fefd9a2fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda80000 0x7fefda8efff Memory Mapped File rwx False False False -
profapi.dll 0x7fefdb90000 0x7fefdb9efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdce0000 0x7fefdd15fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
devobj.dll 0x7fefddd0000 0x7fefdde9fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
shell32.dll 0x7fefdfd0000 0x7fefed57fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0e0000 0x7feff1bafff Memory Mapped File rwx False False False -
sechost.dll 0x7feff1c0000 0x7feff1defff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff2f0000 0x7feff4c6fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff640000 0x7feff6b0fff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff9a0000 0x7feffa38fff Memory Mapped File rwx False False False -
ole32.dll 0x7feffa40000 0x7feffc42fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feffc50000 0x7feffd7cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feffd80000 0x7feffe56fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feffe60000 0x7feffeb1fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
private_0x000007ff00010000 0x7ff00010000 0x7ff0001ffff Private Memory - True False False -
private_0x000007ff00020000 0x7ff00020000 0x7ff0002ffff Private Memory - True False False -
private_0x000007ff00030000 0x7ff00030000 0x7ff000cffff Private Memory - True False False -
private_0x000007ff000d0000 0x7ff000d0000 0x7ff000dffff Private Memory - True False False -
private_0x000007ff000e0000 0x7ff000e0000 0x7ff0014ffff Private Memory - True False False -
private_0x000007ff00150000 0x7ff00150000 0x7ff0015ffff Private Memory - True False False -
private_0x000007ff00160000 0x7ff00160000 0x7ff0016ffff Private Memory - True False False -
private_0x000007fffff10000 0x7fffff10000 0x7fffff1ffff Private Memory rwx True False False -
private_0x000007fffff20000 0x7fffff20000 0x7fffffaffff Private Memory rwx True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
For performance reasons, the remaining 43 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3::
False
Host Behavior
File (417)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 4
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 6
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 7
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 3
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 2
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONIN$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 type = file_attributes True 5
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 3
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 3
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 3
Fn
Get Info - type = file_type True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 5
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 type = file_type True 2
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe type = file_type True 2
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe type = file_attributes True 3
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 44
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 11
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 23
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 6
Fn
Data
Read - size = 4096, size_out = 281 True 1
Fn
Data
Read - size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 91
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3895 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3687 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 409, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 3
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 2228 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 844, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3736 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 360, size_out = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 size = 4096, size_out = 1804 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 size = 244, size_out = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 size = 4096, size_out = 0 True 1
Fn
Read CONIN$ size = 8192 False 1
Fn
Write CONOUT$ size = 82 True 1
Fn
Data
Write CONOUT$ size = 2 True 2
Fn
Data
Write CONOUT$ size = 79 True 1
Fn
Data
Write CONOUT$ size = 79 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 9 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write CONOUT$ size = 30 True 1
Fn
Data
Registry (192)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 5
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 5
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 5
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create "C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe" os_pid = 0x0, show_window = SW_HIDE False 1
Fn
Create "C:\Users\aETAdzjz\AppData\Local\Temp\OFFICE~1.EXE" "C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe" os_pid = 0x0, show_window = SW_HIDE False 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe show_window = SW_SHOWNORMAL False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (147)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 133
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = PSExecutionPolicyPreference, result_out = Bypass True 1
Fn
Get Environment String name = TEMP, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 4
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image