513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8 (SHA256)
=UTF-8B2KfZhNmB2YfYp9ix2LMueGxzbQ===.xls
Excel Document
Created at 2019-01-09 08:38:00
Monitored Processes
Behavior Information - Sequential View
Process #1: excel.exe
7101
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\excel.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:43, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:38 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x91c |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B44
0x
B40
0x
B3C
0x
B38
0x
B34
0x
B30
0x
B24
0x
B20
0x
AFC
0x
AF8
0x
A50
0x
A4C
0x
A30
0x
A2C
0x
A04
0x
984
0x
980
0x
97C
0x
978
0x
974
0x
970
0x
96C
0x
964
0x
940
0x
93C
0x
938
0x
934
0x
928
0x
924
0x
920
0x
BC4
0x
BC8
0x
BF8
0x
80C
0x
4B4
0x
774
0x
BB8
0x
9B8
0x
B38
0x
BB0
0x
9A8
0x
9E0
0x
B0
0x
1E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00086fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00091fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00310000 | 0x00376fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x01baffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01bb0000 | 0x01e7efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x02272fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x0237ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023c0000 | 0x023c0000 | 0x023c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002410000 | 0x02410000 | 0x02410fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002420000 | 0x02420000 | 0x02421fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02430000 | 0x0243bfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x02650000 | 0x02657fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02660000 | 0x0266ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002670000 | 0x02670000 | 0x02670fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002680000 | 0x02680000 | 0x02680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002690000 | 0x02690000 | 0x02694fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x026a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x026bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002740000 | 0x02740000 | 0x0281efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002820000 | 0x02820000 | 0x02821fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x02830fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x02840fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x02850fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x02960fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02970fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002980000 | 0x02980000 | 0x02981fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02990fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x029a0000 | 0x029bffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000029d0000 | 0x029d0000 | 0x029d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x029e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000029f0000 | 0x029f0000 | 0x029f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02a21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a30000 | 0x02a30000 | 0x02a31fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a40000 | 0x02a40000 | 0x02a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a50000 | 0x02a50000 | 0x02a51fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a60000 | 0x02a60000 | 0x02a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a70000 | 0x02a70000 | 0x02a71fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02b7ffff | Private Memory | rw |
|
|
|
- |
| xlintl32.dll | 0x02b80000 | 0x03bc7fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x03bd0000 | 0x03c8ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x03c90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ca0000 | 0x03ca0000 | 0x03ca1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cb0000 | 0x03cb0000 | 0x03cb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cc0000 | 0x03cc0000 | 0x03dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003dc0000 | 0x03dc0000 | 0x03ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ec0000 | 0x03ec0000 | 0x03ec0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ed0000 | 0x03ed0000 | 0x03fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003fd0000 | 0x03fd0000 | 0x03fe1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ff0000 | 0x03ff0000 | 0x03ff0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004000000 | 0x04000000 | 0x04000fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004010000 | 0x04010000 | 0x04011fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004020000 | 0x04020000 | 0x04020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004030000 | 0x04030000 | 0x04030fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004040000 | 0x04040000 | 0x0413ffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x04140000 | 0x04150fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004160000 | 0x04160000 | 0x04160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004170000 | 0x04170000 | 0x0426ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004270000 | 0x04270000 | 0x0436ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x04370fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x04380fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x04390fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043a0000 | 0x043a0000 | 0x043a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043b0000 | 0x043b0000 | 0x043b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x043c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x043d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043e0000 | 0x043e0000 | 0x043e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043f0000 | 0x043f0000 | 0x043f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x04401fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x04410fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04421fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x04430000 | 0x04433fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x04441fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x04450000 | 0x04453fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x04460fff | Private Memory | rw |
|
|
|
- |
| seguisb.ttf | 0x04470000 | 0x044d3fff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0x044e0000 | 0x0455efff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x04560000 | 0x0458ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004590000 | 0x04590000 | 0x04591fff | Pagefile Backed Memory | r |
|
|
|
- |
| comdlg32.dll.mui | 0x045a0000 | 0x045acfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x0464ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004650000 | 0x04650000 | 0x04651fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x04662fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x04672fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04682fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04692fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000046a0000 | 0x046a0000 | 0x046a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046d0000 | 0x046d0000 | 0x0474ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000004750000 | 0x04750000 | 0x04b4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x05170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x05181fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x05190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x051c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x053cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000053d0000 | 0x053d0000 | 0x05712fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005720000 | 0x05720000 | 0x05720fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005730000 | 0x05730000 | 0x05730fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005740000 | 0x05740000 | 0x05741fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005750000 | 0x05750000 | 0x05750fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005760000 | 0x05760000 | 0x05760fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005770000 | 0x05770000 | 0x0586ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005870000 | 0x05870000 | 0x058effff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x058f0000 | 0x05955fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005960000 | 0x05960000 | 0x05961fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x05970000 | 0x05973fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005980000 | 0x05980000 | 0x05980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005990000 | 0x05990000 | 0x05990fff | Private Memory | rw |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x059a0000 | 0x059a0fff | Memory Mapped File | r |
|
|
|
- |
|
For performance reasons, the remaining 431 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 | 17.76 KB |
MD5:
e6d55fffc72e853d24440ef89e216611
SHA1: 293a8817bc2e35ad4db630dd58dc8229523ac252 SHA256: 93a530e6d04e88730fd787d31f9a8e69fcbae3a14ba650008d1b5712ecb2cfb2 SSDeep: 384:LOi5Zg5RQ60lRrUbLmagfOypXquFGRawwha5gCvZQ28kS4n:Lh57lRruLm1dGRNw05gAZR86n |
|
|
| c:\users\aetadzjz\appdata\local\temp\12-b-366.txt | 0.36 KB |
MD5:
ce86eb5b2736c66df0af4dd826d4dd55
SHA1: 17d630f02db15facff4e0acd56f3559b092df81f SHA256: b2c99d88252ab0b9ab4be05290afaaa8e64bbcd9292dfe07cef905b2f37e5d33 SSDeep: 6:RlS0tu4oQ+KmWP+GGJ7vuYOMiUXZrlNHsnyLmyCpYOaoNkDv5NrjSTptZAB/MGni:Rlz9T16GgrXsnF/E5N3rMG4wI |
|
|
Threads
Thread 0x920
3526
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-16 11:02:43 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 179198 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = Unknown module name, base_address = 0x13f860000 |
|
1 | |
| Module | Load | module_name = Comctl32.dll, base_address = 0x7fefc690000 |
|
1 | |
| Module | Get Handle | module_name = MSI.DLL, base_address = 0x7fefa750000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7fefa7cf088 |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee4fe0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee50e72c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee50560b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee5001a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee5055f50 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee4fff000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee4fee860 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee4fe3fc0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee4ff2380 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee4fe7b80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee4fe7b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee4fe8730 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee5123260 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee5123280 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee4ff1f40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee5056370 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee5044590 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee4fe55b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee4ff0240 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee4fe3d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee4fe6d30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee4fe3d40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee4fee6f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee4fedf40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee4fe7bf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee4fefcd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee4fe8b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee50e2ef0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee4ff42c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee4fe3e20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee4feab10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee4fea7d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee4fe1550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee4fee830 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee4fe13d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee4fe6660 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee4fe1500 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee4fe3dd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee50e71e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee50b6d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiFIsEdpEnabled, address_out = 0x7fee51298e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiEnterpriseProtect, address_out = 0x7fee5129830 |
|
1 | |
| Environment | Get Environment String | name = DDRYBUR |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x7fee6090000 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Licenses |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x7feffd80000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SysFreeString, address_out = 0x7feffd81320 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7feffd8f1e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7feffddcaa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7feffdac760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7feffddecd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7feffdde840 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7feffdef420 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7feffde9350 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7feffdb6e40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7feffdef320 |
|
1 | |
| Window | Create | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = USER32, base_address = 0x77a20000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetSystemMetrics, address_out = 0x77a394f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MonitorFromWindow, address_out = 0x77a35f08 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MonitorFromRect, address_out = 0x77a32b00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MonitorFromPoint, address_out = 0x77a2ab64 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = EnumDisplayMonitors, address_out = 0x77a35c30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetMonitorInfoA, address_out = 0x77a2a730 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = oleaut32.dll, base_address = 0x7feffd80000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DispCallFunc, address_out = 0x7feffd82270 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7feffe0dbd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7feffd85c90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7feffd86330 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7feffda66c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7feffd84710 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7feffd848f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7feffdbb640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7feffdbb360 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7feffdc2640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7feffda58a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7feffda5820 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7feffdbaf20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7feffda5a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7feffda5a30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7feffd860b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormat, address_out = 0x7feffe09b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7feffe09aa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7feffe09990 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7feffe09890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7feffe09770 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7feffdeb8d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMonthName, address_out = 0x7feffdeb800 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAdd, address_out = 0x7feffe048e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAnd, address_out = 0x7feffe09470 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCat, address_out = 0x7feffe096a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDiv, address_out = 0x7feffe02fe0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarEqv, address_out = 0x7feffe09cf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarIdiv, address_out = 0x7feffe08ff0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarImp, address_out = 0x7feffe09c00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMod, address_out = 0x7feffe08e60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMul, address_out = 0x7feffe03690 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarOr, address_out = 0x7feffe092d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarPow, address_out = 0x7feffe02e80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarSub, address_out = 0x7feffe03f90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarXor, address_out = 0x7feffe091a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAbs, address_out = 0x7feffde7c30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFix, address_out = 0x7feffde7a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarInt, address_out = 0x7feffde7890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNeg, address_out = 0x7feffde7ea0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNot, address_out = 0x7feffe09600 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarRound, address_out = 0x7feffde76a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCmp, address_out = 0x7feffe083f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecAdd, address_out = 0x7feffdb3070 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecCmp, address_out = 0x7feffdbd700 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCat, address_out = 0x7feffdbd890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7feffd9caf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7feffda8a00 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-01-09 08:40:51 (Local Time) |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 66, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, address_out = 0x7fee4fefcd0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-01-09 08:40:51 (Local Time) |
|
2 | |
| System | Get Time | type = Local Time, time = 2019-01-09 08:40:52 (Local Time) |
|
1 | |
| System | Get Cursor | x_out = 658, y_out = 497 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 48 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-01-09 08:40:53 (Local Time) |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee55c24c8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee5609db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x7fee5384ee0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| COM | Get Class ID | cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| COM | Get Class ID | cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Process | Create | process_name = regsvr32.exe /s /n /u /i:C:\Users\aETAdzjz\AppData\Local\Temp\12-B-366.txt scrobj.dll, os_pid = 0x410, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 430, y_out = 397 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| Module | Load | module_name = ADVAPI32.DLL, base_address = 0x7feff0e0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CryptAcquireContextA, address_out = 0x7feff0e8180 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CryptCreateHash, address_out = 0x7feff0edad4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CryptDestroyHash, address_out = 0x7feff0edb00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CryptHashData, address_out = 0x7feff0edac0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CryptGetHashParam, address_out = 0x7feff0edb20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CryptReleaseContext, address_out = 0x7feff0edd10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CryptGenRandom, address_out = 0x7feff0edc60 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| System | Get Time | type = Ticks, time = 350222 |
|
9 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee55c24c8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee5609db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x7fee5384ee0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee55c24c8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee5609db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee5280000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 600, address_out = 0x7fee5384ee0 |
|
1 |
Process #2: regsvr32.exe
39
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\regsvr32.exe |
| Command Line | regsvr32.exe /s /n /u /i:C:\Users\aETAdzjz\AppData\Local\Temp\12-B-366.txt scrobj.dll |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x410 |
| Parent PID | 0x91c (c:\program files\microsoft office\root\office16\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
834
0x
828
0x
84C
0x
854
0x
850
0x
848
0x
844
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| regsvr32.exe.mui | 0x000d0000 | 0x000d1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| rsaenh.dll | 0x00130000 | 0x00174fff | Memory Mapped File | r |
|
|
|
- |
| wshom.ocx | 0x00130000 | 0x00143fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x00170000 | 0x00170fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00310000 | 0x00313fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00320000 | 0x0033ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00350000 | 0x00353fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x005f0000 | 0x0061ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x01be0000 | 0x01c5cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001be0000 | 0x01be0000 | 0x01cbefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e00000 | 0x020cefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x0216ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x022cffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x022d0000 | 0x02335fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023f0000 | 0x023f0000 | 0x027e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x0287ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| regsvr32.exe | 0xff670000 | 0xff677fff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x7fee5ef0000 | 0x7fee5fd2fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x7fee5fe0000 | 0x7fee601bfff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x7fee6020000 | 0x7fee6053fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x7fee6060000 | 0x7fee6087fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7fef3ed0000 | 0x7fef3f23fff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x7fef3f30000 | 0x7fef4ae6fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7fefb570000 | 0x7fefb587fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7fefda90000 | 0x7fefdb20fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7fefee80000 | 0x7feff0d8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7feff6e0000 | 0x7feff857fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7feff870000 | 0x7feff999fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x834
39
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-16 11:02:46 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 181787 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\regsvr32.exe, base_address = 0xff670000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\.dll |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\.dll, data = dllfile |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\dllfile |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\dllfile\AutoRegister |
|
1 | |
| Module | Load | module_name = scrobj.dll, base_address = 0x7fee5fe0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\scrobj.dll, function = DllInstall, address_out = 0x7fee5fee7a8 |
|
1 | |
| System | Get Time | type = System Time, time = 1627-02-16 11:02:48 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 183581 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x7feff0e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x77c5f570 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\Windows\system32\regsvr32.exe, size = 260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7feff0fb5f0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7feff0fc480 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7feff100710 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x7feffa40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7feffa5c920 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x7feffa40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7feffa67490 |
|
1 | |
| COM | Create | interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Environment | Get Environment String | name = JS_PROFILER |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 183722 |
|
1 | |
| System | Get Time | type = Ticks, time = 183800 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x7feffa40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7feffa5a4c4 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7feffa72e18 |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Process | Create | process_name = powershell.exe -noexit -exec bypass -File C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 |
|
1 |
Process #3: powershell.exe
846
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -File C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x874 |
| Parent PID | 0x410 (c:\windows\system32\regsvr32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
57C
0x
86C
0x
868
0x
864
0x
860
0x
85C
0x
9AC
0x
A7C
0x
A88
0x
754
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00070000 | 0x00072fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x001e0000 | 0x001e3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x001f0000 | 0x0020ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00220000 | 0x00223fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00440000 | 0x0046ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00472fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001bd0000 | 0x01bd0000 | 0x01ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001cd0000 | 0x01cd0000 | 0x01daefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01dc0000 | 0x01e25fff | Memory Mapped File | r |
|
|
|
- |
| l_intl.nls | 0x01e30000 | 0x01e32fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01e5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e60fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01e70000 | 0x01e74fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x01efffff | Private Memory | rwx |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01f00000 | 0x01f07fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0209ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x0211ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02120000 | 0x023eefff | Memory Mapped File | r |
|
|
|
- |
| sortkey.nlp | 0x023f0000 | 0x02430fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002440000 | 0x02440000 | 0x02440fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x024cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000024d0000 | 0x024d0000 | 0x028c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x0297ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x02a80fff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x02a90000 | 0x02ae3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02b8ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x1ad2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad30000 | 0x1ad30000 | 0x1b3fffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1b400000 | 0x1b4bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000001b500000 | 0x1b500000 | 0x1b57ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b580000 | 0x1b861fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b870000 | 0x1b870000 | 0x1b96ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x756a0000 | 0x75768fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f790000 | 0x13f806fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fee0d70000 | 0x7fee0f04fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fee0f10000 | 0x7fee107bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fee1080000 | 0x7fee1724fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x7fee1730000 | 0x7fee18b3fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fee18c0000 | 0x7fee18fdfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fee1900000 | 0x7fee1a17fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fee1a20000 | 0x7fee1c35fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee1c40000 | 0x7fee1d24fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee1d30000 | 0x7fee1dd9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee1de0000 | 0x7fee210dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee2110000 | 0x7fee2c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee2c70000 | 0x7fee2d21fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee2d30000 | 0x7fee3752fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee3760000 | 0x7fee463bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee4640000 | 0x7fee4fdcfff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee5e40000 | 0x7fee5e71fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee5e80000 | 0x7fee5ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x7fee62b0000 | 0x7fee62b6fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee9c90000 | 0x7fee9d28fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef3140000 | 0x7fef31aefff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00010000 | 0x7ff00010000 | 0x7ff0001ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff000cffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000d0000 | 0x7ff000d0000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff0014ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00150000 | 0x7ff00150000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 43 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Threads
Thread 0x57c
585
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, type = file_attributes |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 82 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 2 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 2 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
13 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | type = file_type |
|
1 | |
| File | Read | size = 4096, size_out = 4096 |
|
6 | |
| File | Read | size = 4096, size_out = 281 |
|
1 | |
| File | Read | size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
8 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 30 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONIN$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = CONIN$, size = 8192 |
|
1 |
Thread 0x85c
36
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Thread 0x9ac
173
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, type = file_attributes |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell |
|
1 | |
| Environment | Get Environment String | name = PSExecutionPolicyPreference, result_out = Bypass |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, type = file_type |
|
2 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, size = 4096, size_out = 1804 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, size = 244, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1, size = 4096, size_out = 0 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
30 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = TEMP, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
2 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe, type = file_type |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = TEMP, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Process | Create | process_name = "C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe", os_pid = 0x0, show_window = SW_HIDE |
|
1 | |
| Process | Create | process_name = "C:\Users\aETAdzjz\AppData\Local\Temp\OFFICE~1.EXE" "C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe" , os_pid = 0x0, show_window = SW_HIDE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 9 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 |
Thread 0xa7c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe, show_window = SW_SHOWNORMAL |
|
1 |
Thread 0xa88
5
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
5 |
